NOTE: UPMC does not currently do business with Professional Business Systems, Inc. d/b/a Practicefirst, however from 2009 to 2013 Practicefirst provided services to WCA Services Incorporated, a company that UPMC obtained in 2016 by way of its acquisition of UPMC Chautauqua. As such, all potentially affected data described in the following breach notice was obtained by Practicefirst in 2013 or earlier from WCA Services Incorporated and not from UPMC.
Professional Business Systems, Inc. d/b/a Practicefirst Medical Management Solutions and PBS Medcode Corp. (“Practicefirst” or “We”), a medical management company that processes data for health care providers, provided UPMC with notice of a recent incident that may affect the security of employee and patient information (“Information”).
On December 30, 2020, Practicefirst learned that an unauthorized actor who attempted to deploy ransomware to encrypt their systems copied some files from their system, including files that contain limited patient and employee personal Information. Upon learning of this, Praccticefirst shut down their systems, changed passwords, alerted law enforcement, and retained national privacy and security experts. Practicefirst is not aware of any fraud or misuse of any of the Information as a result of this Incident. The hacker who took the copy informed Practicefirst that the Information is destroyed and was not shared.
The Information, copied from Practicefirst’s system by the unauthorized actor before it was permanently deleted, included the following categories of information: name, address, email address, date of birth, driver’s license number, Social Security number, diagnosis, laboratory and treatment information, patient identification number, medication information, health insurance identification and claims information, tax identification number, and bank account and/or credit card/debit card information. This describes general categories of information involved in this Incident, many records did not include all categories.
Practicefirst immediately reported the Incident to appropriate law enforcement authorities and implemented measures to further improve the security of our systems and practices. They worked with a leading privacy and security firm to aid in their investigation and response and reported the Incident to relevant government agencies. They also implemented additional security protocols designed to protect their network, email environment, and systems.
Practicefirst established a dedicated assistance line for individuals seeking additional information regarding this incident. Individuals seeking additional information may call the toll-free assistance line at 855-731-3351. This toll-free line is available Monday through Friday, from 9:00 a.m. to 6:30 p.m. Eastern Time (excluding some U.S. national holidays).
Practicefirst encourages individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and to monitor free credit reports for suspicious activity and to detect errors. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. To obtain a free credit report, individuals may visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Alternatively, affected individuals can contact the three major credit reporting bureaus directly at the addresses below:
Contact information for the three nationwide credit reporting companies is as follows:
Moreover, information regarding identity theft, fraud alerts, security freezes, and the steps an individual can take to protect personal information may be obtained by contacting the consumer reporting agencies, the Federal Trade Commission, or the appropriate state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653- 4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. Individuals can obtain further information on how to file such a complaint by calling 1-877-438-4338. Individuals should file a police report if they are a victim of identity theft or fraud. To file a report with law enforcement for identity theft, an individual will likely need to provide some proof that they have been a victim.
CaptureRX is alerting more than 7,400 UPMC Cole and UPMC Wellsboro patients that some of their personal data may have been inappropriately accessed as the result of an information security breach at the company, which provides third-party administrative services to UPMC. This event did not occur at UPMC or affect the security of its electronic patient records or other computer systems.
CaptureRx was recently victim to a data breach in which hackers stole data. CaptureRx confirmed to UPMC in April 2021 that some of UPMC’s patient information may have been stolen in this breach. CaptureRx ultimately recovered the data and while there is no evidence that this data has been misused at this time, CaptureRx and UPMC are alerting affected patients through personal letters and public notification.
CaptureRx’s investigation determined that its affected email accounts contained various types of information, including first name, last name, date of birth, and prescription information. CaptureRx has established a toll-free assistance hotline for those with additional questions and concerns: 855-654-0919 (toll free).
CaptureRx and UPMC encourage potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements, credit reports and explanation of benefits forms for suspicious activity and to report any suspicious activity immediately to their insurance company, health care provider or financial institution.
If you believe that you may have been affected by this breach, you can obtain information on obtaining a free credit report annually from each of the three major credit reporting bureaus by visiting www.annualcreditreport.com, calling 877-322-8228, or contacting the three major credit bureaus directly at: Equifax, P.O. Box 105069, Atlanta, GA, 30348, 1-800-685-1111, www.equifax.com; Experian, P.O. Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com; TransUnion, P.O. Box 2000, Chester, PA 19016, 800-680-7289, www.transunion.com. Potentially impacted individuals may also find information regarding identity theft, fraud alerts, security freezes and the steps they may take to protect their information by contacting the credit bureaus, the Federal Trade Commission or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should also be reported to law enforcement or the individual’s state Attorney General. UPMC has also notified the U.S. Department of Health and Human Services as required by the federal Health Insurance Portability and Accountability Act (HIPAA).