Wednesday, February 26, 2025, 1:06AM |  45°
MENU
Advertisement
1
MORE

UPMC hacking widespread

Bob Donaldson/Post-Gazette

UPMC hacking widespread

Identity theft danger threatens 62,000 workers; no patient files involved, officials say

The scope of a data breach at UPMC that may have exposed Social Security numbers, addresses, salaries and bank account information to identity thieves has widened to potentially include all of its 62,000 workers, the health care conglomerate informed employees in an email Friday.

"Outside of the 817 confirmed victims of tax fraud, we are not aware of any other fraud perpetrated against UPMC relating to this situation," the email stated. "In the interest of protecting our staff, we are now urging all of our employees to take the proper precautions to protect their personal information."

The number of employees at risk has expanded exponentially -- from a few dozen, to several hundred to tens of thousands -- since February, when the company acknowledged that about 22 employees had been victimized by fraudulent income-tax return schemes.

Advertisement

In April, a UPMC spokesperson said all employees who could have been potentially affected by the breach, then estimated at 27,000, had been notified.

Gloria Kreps, a UPMC spokeswoman, said that the email sent to employees was based on new information from the ongoing investigation into the breach, which is being handled by local police, the FBI, the U.S. Secret Service, the U.S. attorney's office and the Internal Revenue Service.

A spokeswoman for U.S. Attorney David Hickton said that investigators are working diligently to advance the investigation but declined to provide details.

"UPMC has been informed by law enforcement authorities based on their ongoing investigation that more employee information was stolen than they originally knew," Ms. Kreps wrote in an email. "This new information has indicated that employee names, Social Security numbers, addresses, salaries, bank account numbers and bank routing numbers may have been accessed."

Advertisement

In the email to employees, UPMC said it is "a victim in an all-too-frequent crime of hacking and data theft."

"Please be assured that we have done all that we can to make sure our systems are secure and we do not believe that a similar attack would be successful in the future," the company wrote. "We continue to take steps to mitigate risk for our employees. But the reality is that cyber theft is now very common and can be present in many types of online transactions. Once again, we apologize for this difficult and troubling news. We stand ready to assist you through this process and remain hopeful that by working with the authorities that we can bring these criminals to justice in the future."

Ms. Kreps said UPMC has notified all employees via phone and letter, alerted major banks, provided a hotline for employees with questions and is planning educational Web seminars for staff and family members about identity-theft protection.

UPMC also has made free identity protection services available to employees through LifeLock and is in discussions with the company to extend that service for five years.

A class action suit was filed against UPMC in February in Allegheny County Common Pleas Court on behalf of employees who had fraudulent bank accounts opened in their names and tax returns stolen.

The lawsuit alleges that vulnerabilities in UPMC's computer system allowed for the breach and the company did not reasonably safeguard the sensitive information in its care.

Benjamin Sweet, one of the attorneys representing the plaintiff class, called the news that all employees may be affected "troubling."

"It's hard to know what the next shoe to drop will be," Mr. Sweet said. "At a minimum, UPMC owes its employees and the public an immediate and full accounting of the facts. ... Can it confirm whether the data breach is confined to UPMC employees or has any patient-level data been compromised? If so, how many patients and over what length of time?"

Ms. Kreps said the breach was confined to employees' information.

"This breach affected our payroll system, which is completely separate from patient financial and medical information," Ms. Kreps said.

Mr. Sweet said it is too early to tell whether the news of the wider data compromise "will change the complexion of the case" but said it will be made known to the court.

First Published: May 30, 2014, 5:45 p.m.
Updated: May 31, 2014, 4:18 a.m.

RELATED
SHOW COMMENTS (0)  
Join the Conversation
Commenting policy | How to Report Abuse
If you would like your comment to be considered for a published letter to the editor, please send it to letters@post-gazette.com. Letters must be under 250 words and may be edited for length and clarity.
Partners
Advertisement
The two Franks worked with pizza legends Chris Bianco and Chad Robertson to perfect their craft.
1
life
A beloved pizzeria is expanding beyond Brooklyn. First stop, Mt. Lebanon.
Students at Penn State Fayette, the Eberly Campus in Lemont Furnace, walk to class on Tuesday, Feb. 4, 2025.
2
news
Penn State to close some commonwealth campuses, President Bendapudi announces
Penn State president Neeli Bendapudi spoke during a dedication ceremony for the newly renamed Franco Harris Pittsburgh Center at Penn State, located in Uptown on Tuesday, Dec. 12, 2023.
3
news
Penn State Faculty Senate tables vote of no confidence in President Bendapudi
Pittsburgh Pirates starting pitcher Jared Jones (37) delivers during the first inning of a spring training baseball game against the Atlanta Braves, Tuesday, Feb. 25, 2025, in Bradenton, Fla.
4
sports
3 takeaways as Pirates suffer 1st loss of spring training to Braves
Ireland Brown is charged with assault, hindering apprehension, tampering with evidence and for the conduct of others in connection with what police have called a seemingly unprovoked attack on 53-year-old Preston Coleman at an Aliquippa VFW on Jan. 5. Investigators alleged that while Ms. Brown did not participate in the assault, she did nothing to intervene for the 30 minutes that it went on.
5
news
Lawsuit filed against Aliquippa VFW where ‘brutal’ assault occurred
 (Bob Donaldson/Post-Gazette)
Bob Donaldson/Post-Gazette
Advertisement
LATEST local
Advertisement
TOP
Email a Story