University of Pittsburgh Medical Center (UPMC) has reported that the protected health information (PHI) of over 36,000 patients was potentially accessed by unauthorized persons subsequent to a cyberattack on a company that provides UPMC with legal services associated with billing.
In June 2020, Charles J. Hilton & Associates P.C. (CJH) identified suspicious activity in the email account of its employee and started an investigation. On July 21, 2020, CJH confirmed that hackers acquired access to the email accounts of a number of its personnel from April 1, 2020 to June 25, 2020.
Computer forensics professionals performed a considerable investigation into the incident to know which information the hackers accessed or stole. UPMC mentioned it got a notification regarding the breach last December 2020 confirming that attackers accessed the patient data. CJH is currently sending breach notification letters to all patients possibly affected by the breach. UPMC stated that no system was impacted not even its electronic medical record system. The only information involved was patient data given to CJH to provide its contracted billing-related legal services.
CJH stated the compromised accounts included names, dates of birth, bank or financial account numbers, Social Security numbers, state identification card numbers, driver’s license numbers, electronic signatures, Medicare or Medicaid identification numbers, medical record numbers, patient control numbers, patient account numbers, visit numbers, trip numbers, individual health insurance or subscriber numbers, group medical insurance or subscriber numbers, medical benefits and entitlement details, disability access and accommodation, and data linked to occupational-health, drug tests, diagnosis treatment, symptoms,, prescription medications, billing or claims, and/or disability.
CJH is offering zero-cost membership to credit monitoring and identity theft protection services to individuals affected by the breach.
19,000 Members Affected by UPMC Health Plan Phishing Incident
19,000 UPMC Health Plan members are getting notifications concerning the potential compromise of some of their PHI. An unauthorized person accessed the email account of a UPMC Health Plan employee on December 8, 2020. UPMC Health Plan got notified regarding the breach the next day.
The data contained in the breached email account only included names, birth dates, names of parent/guardian, and limited clinical data, such as dental provider and procedure details. No proof was identified to suggest the misuse of any plan member data.
This phishing attack doesn’t seem to be linked to the Charles J. Hilton & Associates P.C. phishing attack.