UPMC breach strikes 27,000 employees

Medical center working with IRS, FBI, Secret Service to solve what may be national scheme
By Bernie Monegain
10:59 AM
Share
UPMC

UPMC officials say the number of employees affected by a data breach at the renowned medical center is much higher than originally reported - from 322 employees first reported on March 6, now up to 27,000 of a total of 62,000 employees, the  Pittsburgh Tribune-Review reports.

On March 5, UPMC reported that 322 of its employees' tax information had been stolen, but UPMC now believes nearly 27,000 of its total 62,000 employees may be victims of the breach, according to the report.  

[See also: Medical identity theft most potent kind.]

The compromised information contained employees' Social Security numbers, and at least 788 UPMC employees have already had their information used for fraudulent federal tax returns, according to the report.

On April 18, the Pittsburgh Post-Gazette reported that the strike on UPMC employees might be part of a national scheme. It reported that among the 27,000 employees affected by the breach, 788 have experienced some form of tax fraud and several others have had bank accounts wiped clean.

In a letter to employees, UPMC Vice President, Privacy and Information Security and Associate Counsel John P. Houston wrote: "As you know, in late February UPMC learned that some of its employees were targeted by a fraudulent taxt return scheme. We have since determined that the source of information used to commit this crime was obtained through unauthorized access that allowed some personal emplouee information to be exposed.

"Since first indication, we have been working with the Internal Revenue Service, the Federal Bureau of Investigation, the Secret Service, and information technology sources to determine the cause and scope of the breach, to prevent any further unauthorized access, and to track down ther perpetrators of this serious crime."
 

[See also: Medical identity theft hits growth phase.]

As a result of the breach, a class-action lawsuit was filed against UPMC in the Allegheny County Court of Common Pleas. The plaintiffs allege UPMC failed to disclose the data breach in a timely manner and failed to adequately protect employee information.