University of Pittsburgh Medical Center Data Breach Results in Fraudulent Income Tax Returns

Lawsuit claims University of Pittsburgh Medical Center was negligent by failing to guard the sensitive information in its care.


As many as 322 University of Pittsburgh Medical Center employees — 300 more than initially reported — have been affected by a data breach and identity theft scheme, the hospital system said on Thursday.

The breach allowed someone to use the employees' personal information to electronically file fraudulent income tax returns.

Officials said they are trying to determine the source of the ID theft and are working with the Internal Revenue Service, FBI, postal inspectors and the Secret Service. The U.S. Attorney's Office in Pittsburgh confirmed it opened an investigation but declined further comment.

“We don't know how many staff ultimately will be impacted,” said Gloria Kreps, a spokeswoman for UPMC, the region's largest employer. “Unfortunately, this type of tax fraud is common and is a national problem.”

In just the first six months of 2013, 1.6 million taxpayers were affected by identity theft, compared with 271,000 for all of 2010, according to a recent audit by the Treasury Department's inspector general.

When a taxpayer who is owed a refund becomes a victim of ID theft and the thief files a return first, the victim can still get his or her money by going through an agency process, said IRS spokeswoman Jennifer Jenkins.

Kreps said UPMC has established a payroll hotline; published information for employees on the company's internal website; hired a tax firm to help employees complete an IRS identity theft form; and will reimburse employees up to $400 to use their own accountant. Additionally, UPMC will provide credit monitoring services to the affected employees and reimburse them if they have to pay for police reports, Kreps said. The hospital system employs more than 62,000.

The breach at UPMC spawned a class-action lawsuit filed last week in Alle­gheny County Common Pleas Court that claims UPMC was negligent by failing to guard the sensitive information in its care.

Michael Kraemer, an attorney representing two UPMC McKeesport employees named in the lawsuit, on Thursday said he has spoken with more than 50 employees who experienced ID theft. Kraemer said the employees are “emotionally distraught trying to handle this mess.”

On Wednesday, Point Park University President Paul Hennigan alerted university employees of a possible breach there after a package from the school's payroll processing vendor was missing reports that may have included names, home addresses, Social Security numbers, wage information, birth dates and bank account and routing numbers.

Hennigan said Point Park is investigating and has not received any indications that the report was stolen or that any information in it has been misused.

Chris DiIenno, a lawyer with Lewis, Brisbois, Bisgaard & Lewis, the Philadelphia-based law firm working with the university and the payroll contractor, said information for up to 1,800 Point Park employees may have been contained in the missing reports.

“Our investigation continues and we continue to make plans to provide a second notice to the affected that will provide them with access to identity monitoring,” DiIenno said.

©2014 The Pittsburgh Tribune-Review (Greensburg, Pa.)