Unauthorized access to employee information at the University of Pittsburgh Medical Center has resulted in the notification of about 27,000 employees, and the offering of LifeLock identity protection services to all employees, which total about 62,000.

Of the 27,000 employees known to have had their information accessed, 788 have reported being victims of fraud, often by finding out when filing income taxes that a filing had already been done.

Compromised data included names, addresses, dates of birth and Social Security numbers. The university is working with the Internal Revenue Service, Federal Bureau of Investigation, Secret Service and information technology professionals to determine the causes and reach of the breach, according to a notification letter sent to employees. The letter advises employees to contact the IRS, Federal Trade Commission, credit card companies and banks, and UPMC is offering assistance in completing these tasks.

Media reports that multiple employees have had their bank accounts drained are incorrect, Gloria Kreps, a UPMC spokesperson, tells Health Data Management. “There are absolutely no reports of drained bank accounts. That was erroneous reporting.”

However, a lawsuit filed on behalf of UPMC employees seeking class action status identifies two plaintiffs who claim to have been notified by Ally Bank of recently opened accounts they did not open. One of the plaintiffs also learned a tax return had been fraudulently filed in her name and the other plaintiff learned that the bank believed his account had been compromised. The suit, filed by the Pittsburgh law firm Kraemer, Manes & Associates LLC, does not specifically allege that the compromised account was drained. The suit accuses UPMC of neglect in securing information, invasions of privacy, and breach of implied contract to protect information. Among other requests for relief, plaintiffs ask that credit monitoring services be offered for 10 years.

In a phone interview with HDM, Michael Kraemer, founding partner of the law firm that filed the suit seeking class action, said a “bunch” of emptied accounts have been reported but he doesn’t yet know how many. He acknowledged that such instances sometimes are misreported and may actually have occurred because a family member took the funds.

(See also: 10 Cyber Security Tips from the FCC)

UPMC has until April 30 to answer initial charges in the suit and more information will be known then, Kramer adds. One of the plaintiffs in the suit alerted UPMC on February 10 that employee information had been compromised. Kraemer says he has reports that the organization new something was amiss before January “and we’re fairly certain they knew in early January.” UPMC spokesperson Kreps says the organization first learned of a problem from one employee on February 19, by the 21st had heard from five employees, started looking for patterns on the 24th and first communicated to employees on the 26th.

The lawsuit is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access