Victim Tally in UPMC Breach DoublesEmployees' Banking Information Exposed
The University of Pittsburgh Medical Center says the total number of employees affected by a recent breach of financial information has potentially more than doubled to include just about its entire workforce of 62,000, although it's not revealing many details about the incident. The medical center originally reported in February that 27,000 of its staff members had been affected by the breach.
So far, the beach has led to nearly 800 workers falling victim to federal income tax fraud, as well as the filing of two class action lawsuits. However, one of those suits filed in federal court was voluntarily dismissed by plaintiffs' attorneys, according to court documents. An incorrect software vendor was named along with UPMC as a defendant in that dismissed suit.
A class action lawsuit filed in the Allegheny County, Penn., Court of Common Pleas is ongoing, says Michael Kraemer, an attorney at the law firm Kraemer, Manes LLP, which is representing the plaintiffs. The revised number of victims impacted by the breach "increases the size of the class," in the suit, he tells Information Security Media Group.
The law firm is suing UPMC for negligence, invasion of privacy and breach of implied contract. The suit seeks unspecified damages and asks that the medical center cover the cost of plaintiffs obtaining credit monitoring services for 10 years.
In late February, the medical center learned that some of its employees were targeted by a fraudulent federal income tax return scheme (see Employee Breach Linked to Fraud).
Since then, "UPMC has been informed by law enforcement authorities, based on their ongoing investigation, that more employee information was stolen then they originally knew," according to a statement the medical center provided to Information Security Media Group. "This new information has indicated that employee names, Social Security numbers, addresses, salaries, bank account numbers and bank routing numbers may have been accessed," the statement says.
"UPMC is working diligently with external agencies, including the IRS, Secret Service and U.S. Postal Inspection Service, under the guidance of the United States Attorney, and police to identify the circumstances in which the identity theft occurred. That investigation is ongoing."
UPMC did not respond to an ISMG query about whether the source of the breach has been identified.
However, UPMC says it is taking a number of actions to help staff who have been or may become victims of identity theft. Those measures include:
- Discussions with vendor LifeLock to extend free coverage for five years for all UPMC employees who choose to enroll in ID theft monitoring;
- Communicating via letter and phone call to every employee's home alerting them of the situation and the essential steps they need to take;
- Alerting major banks;
- Providing a hotline for employees who have questions;
- Planning educational webinars for staff and their families about identity theft protection;
- Continuing to work with federal law enforcement agencies in the investigation;
- Monitoring security practices and enhancing or changing them as warranted.