The scope of a data breach at UPMC that may have exposed Social Security numbers, addresses, salaries and bank account information to identity thieves has widened to potentially include all of its 62,000 workers, the health care conglomerate informed employees in an email Friday.
"Outside of the 817 confirmed victims of tax fraud, we are not aware of any other fraud perpetrated against UPMC relating to this situation," the email stated. "In the interest of protecting our staff, we are now urging all of our employees to take the proper precautions to protect their personal information."
The number of employees at risk has expanded exponentially -- from a few dozen, to several hundred to tens of thousands -- since February, when the company acknowledged that about 22 employees had been victimized by fraudulent income-tax return schemes.
In April, a UPMC spokesperson said all employees who could have been potentially affected by the breach, then estimated at 27,000, had been notified.
Gloria Kreps, a UPMC spokeswoman, said that the email sent to employees was based on new information from the ongoing investigation into the breach, which is being handled by local police, the FBI, the U.S. Secret Service, the U.S. attorney's office and the Internal Revenue Service.
A spokeswoman for U.S. Attorney David Hickton said that investigators are working diligently to advance the investigation but declined to provide details.
"UPMC has been informed by law enforcement authorities based on their ongoing investigation that more employee information was stolen than they originally knew," Ms. Kreps wrote in an email. "This new information has indicated that employee names, Social Security numbers, addresses, salaries, bank account numbers and bank routing numbers may have been accessed."
In the email to employees, UPMC said it is "a victim in an all-too-frequent crime of hacking and data theft."
"Please be assured that we have done all that we can to make sure our systems are secure and we do not believe that a similar attack would be successful in the future," the company wrote. "We continue to take steps to mitigate risk for our employees. But the reality is that cyber theft is now very common and can be present in many types of online transactions. Once again, we apologize for this difficult and troubling news. We stand ready to assist you through this process and remain hopeful that by working with the authorities that we can bring these criminals to justice in the future."
Ms. Kreps said UPMC has notified all employees via phone and letter, alerted major banks, provided a hotline for employees with questions and is planning educational Web seminars for staff and family members about identity-theft protection.
UPMC also has made free identity protection services available to employees through LifeLock and is in discussions with the company to extend that service for five years.
A class action suit was filed against UPMC in February in Allegheny County Common Pleas Court on behalf of employees who had fraudulent bank accounts opened in their names and tax returns stolen.
The lawsuit alleges that vulnerabilities in UPMC's computer system allowed for the breach and the company did not reasonably safeguard the sensitive information in its care.
Benjamin Sweet, one of the attorneys representing the plaintiff class, called the news that all employees may be affected "troubling."
"It's hard to know what the next shoe to drop will be," Mr. Sweet said. "At a minimum, UPMC owes its employees and the public an immediate and full accounting of the facts. ... Can it confirm whether the data breach is confined to UPMC employees or has any patient-level data been compromised? If so, how many patients and over what length of time?"
Ms. Kreps said the breach was confined to employees' information.
"This breach affected our payroll system, which is completely separate from patient financial and medical information," Ms. Kreps said.
Mr. Sweet said it is too early to tell whether the news of the wider data compromise "will change the complexion of the case" but said it will be made known to the court.
First Published: May 30, 2014, 5:45 p.m.
Updated: May 31, 2014, 4:18 a.m.