All 62,000 Workers at UPMC may Now be Victims of Data Breach

The number of University of Pittsburgh Medical Center employees at risk has expanded exponentially — from a few dozen, to several hundred to thousands.

by Robert Zullo, McClatchy News Service / June 2, 2014

The scope of a data breach at University of Pittsburgh Medical Center (UPMC) that may have exposed Social Security numbers, addresses, salary and bank account information to identity thieves has now widened to potentially include all of its 62,000 workers, the health-care conglomerate informed employees in an email today.

“Outside of the 817 confirmed victims of tax fraud, we are not aware of any other fraud perpetrated against UPMC relating to this situation,” the email says. “In the interest of protecting our staff, we are now urging all of our employees to take the proper precautions to protect their personal information.”

The number of employees at risk has expanded exponentially — from a few dozen, to several hundred to thousands — since February, when the company acknowledged that about 22 employees had been victimized by a fraudulent income-tax return scheme.

In April, a UPMC spokesperson said all employees who could have been potentially affected by the breach, then estimated at about 27,000, had been notified.

Gloria Kreps, a UPMC spokeswoman, said that the email sent to employees today was based on new information from the ongoing investigation into the breach, which is being handled by local police, the FBI, the U.S. Secret Service, the U.S. attorney’s office and the Internal Revenue Service.

“UPMC has been informed by law enforcement authorities based on their ongoing investigation that more employee information was stolen then they originally knew,” Ms Kreps wrote in an email. “This new information has indicated that employee names, Social Security numbers, addresses, salaries, bank account numbers and bank routing numbers may have been accessed.”

Ms. Kreps said UPMC is notifying all employees via phone and letter, has alerted major banks, provided a hotline for employees with questions and is planning educational web seminars for staff and family members about identity-theft protection.

UPMC has also made free identity protection services available to employees through LifeLock and is in discussions with the company to extend that service for five years.

A spokeswoman for U.S. attorney David Hickton said that investigators are working diligently to advance the investigation.

A class action suit was filed against UPMC in February in Allegheny County Court of Common Pleas on behalf of employees who had fraudulent bank accounts opened in their names and tax returns stolen.

The lawsuit alleges that vulnerabilities in UPMC’s computer system allowed for the breach and the company did not reasonably safeguard the sensitive information in its care.

Benjamin Sweet, one of the attorneys representing the plaintiff class, called the news that all employees may be affected "troubling."

"It’s hard to know what the next shoe to drop will be," Mr. Sweet said. "At a minimum, UPMC owes its employees and the public an immediate and full accounting of the facts. ... Can it confirm whether the data breach is confined to UPMC employees or has any patient-level data been compromised? If so, how many patients and over what length of time?"

He said it is too early to tell whether the news "will change the complexion of the case" but said it will be made known to the court.

Ms. Kreps said the breach was confined to employees’ information.

“This breach affected our payroll system, which is completely separate from patient financial and medical information,” Ms. Kreps said.

©2014 the Pittsburgh Post-Gazette