UPMC breach worse than first reported

Theft affects all 62,000 employees
By Mike Miliard
10:48 AM

More than twice as many people as first suspected have been put at risk by a massive data breach at UPMC health system.

This past March, UPMC officials first reported that the tax information of 322 of its employees had been obtained by a hacker. In April, the health system put out word that some 27,000 employees were actually at risk, with Social Security numbers, bank account information, addresses and other private data compromised.

[See also: UPMC breach strikes 27,000 employees.]

More than 800 employees have had fraudulent tax returns filed under their names, and some reportedly even saw their bank accounts depleted.

Officials noted that the health system – one of Pennsylvania's largest employers – was working with IRS, FBI and Secret Service to investigate what had the earmarks of a national scheme.

On May 30, UPMC revised the number of those affected upward once again – reporting that all 62,000 of its employees are now at risk of identity theft.

"Recent developments in the ongoing investigation suggest that the scope may be larger than originally thought, potentially affecting every employee," UPMC officials wrote in an email to employees, according to the Pittsburgh Tribune-Review.

The health system has made free LifeLock fraud detection technology available to its employees. But now it must contend with a class-action lawsuit, brought by a UPMC clinician, that asks it to provide credit and bank monitoring and other ID theft protections for the next 25 years.

[See also: Medical identity theft hits growth phase.]

Meanwhile, UPMC officials have emphasized once again that patient data is not at risk.

"This breach affected our payroll system, which is completely separate from patient financial and medical information," said UPMC spokesperson Gloria Kreps in a statement.