A cyber-attack on a Pennsylvania law firm has potentially exposed the personal health information (PHI) of more than 36,000 patients of University of Pittsburgh Medical Center (UPMC).
Law firm Charles J. Hilton & Associates P.C. (CJH), which provides legal services to UPMC, discovered suspicious activity in its employee email system in June 2020. An investigation determined that hackers had gained access to several employee email accounts between April 1, 2020, and June 25, 2020.
In December 2020, UPMC received a breach notification report from CJH confirming that whoever hacked into the email accounts may have accessed patient data. CJH is now in the process of writing to all the patients who may have been affected.
Patient information compromised in the attack consisted of data used by CJH to provide its contracted billing-related legal services to UPMC.
Exposed data includes names, dates of birth, Social Security numbers, bank or financial account numbers, driver’s license numbers, state identification card numbers, electronic signatures, medical record numbers, patient account numbers, patient control numbers, visit numbers, and trip numbers.
Hackers were also able to access Medicare or Medicaid identification numbers, individual health insurance or subscriber numbers, group health insurance or subscriber numbers, medical benefits and entitlement information, disability access and accommodation, and information related to occupational health, diagnosis, symptoms, treatment, prescriptions or medications, drug tests, billing or claims, and/or disability.
"After a lengthy investigation by computer forensics specialists, CJH confirmed to UPMC in December that some of UPMC’s patient information may have been accessed in this breach," stated UPMC in a notice posted February 5.
"While there is no evidence that this data was misused, CJH and UPMC are alerting affected patients through personal letters and public notification."
Complimentary credit monitoring and identity-theft protection services are being offered by CJH to patients whose data was compromised. The company has also set up a hotline for people to call with their concerns.
UPMC and CJH are encouraging potentially impacted individuals to review account statements, credit reports, and explanation of benefits forms for suspicious activity and to report any suspicious activity immediately to their insurance company, health care provider, or financial institution.