UPMC Employee Breach Linked to FraudMedical Center Now Says 27,000 Staff Members Impacted
A data breach at the University of Pittsburgh Medical Center, which already has resulted in a lawsuit, compromised information on as many as 27,000 employees and led to 788 workers falling victim to tax fraud.
Kraemer, Manes and Associates LLC, a Pittsburgh law firm, filed a lawsuit seeking class action status in a Pennsylvania court back in February, when the breach was thought to have affected far fewer employees. UPMC provided an update on the size of the breach on April 17.
A breach notification letter sent to UPMC employees says names, addresses and Social Security numbers were exposed.
The letter explains that some employees were targeted by a fraudulent tax return scheme. "We have ... determined that the source of information used to commit this crime was obtained through unauthorized access that allowed some personal employee information to be exposed," the notification letter says.
"We want to assure our patients that no patient information was breached," says Gloria Kreps, a spokesperson for UPMC. "We are continuing to work with the IRS, Secret Service and FBI to determine the source of the breach."
Impacted employees are being offered free identity theft protection services through LifeLock for one year. "We continue to urge our employees to register with LifeLock as an important step to deter any additional fraudulent activity," Kreps says.
Attorney Michael Kraemer, who was involved in filing the UPMC lawsuit, says the legal action was taken because employees' sensitive information "is out in the wild now."
"This is resulting in a massive amount of time [and] work spent trying to rectify this, making sure all accounts are secure, [utilizing] credit checks, LifeLock [as well as] emotional trauma," he says.
The law firm is suing UPMC for negligence, invasion of privacy and breach of implied contract. The suit seeks unspecified damages and asks that the medical center cover the cost of plaintiffs obtaining credit monitoring services for 10 years.
UPMC did not immediately respond to a request for additional information about the breach or a response to the lawsuit.
In an unrelated incident, UPMC notified 1,300 patients in December 2013 that their records were viewed inappropriately by an employee (see: Medical Center Breaches Lead Roundup).