UPMC is posting this notice due to the possible security breach by one of UPMC’s suppliers by the name of “Wolverine Services Group” (“WSG”). WSG performs services for health-related business clients, including UPMC and various health plans and hospital systems (“Healthcare Clients”). We are posting this statement on our website as a precautionary measure and as part of our commitment to patient privacy. UPMC takes patients’ privacy seriously, and it is important to us that you and the community that we serve are made fully aware of a recent security incident at WSG, which potentially involves personal information of UPMC patients.
On approximately September 23, 2018, WSG discovered that an unauthorized party gained access to its computer system and infected the system with malware. The malware encrypted many of WSG’s records (including those pertaining to WSG’s Healthcare Clients), making them inaccessible to WSG, in an effort to extort money from WSG. This is commonly referred to as “ransomware.” Shortly after WSG learned of the incident, it began an internal investigation and hired outside forensic security experts to assist WSG in decrypting and recovering its records. As a result of its investigation, WSG believes that the goal of the malware was simply to encrypt its records to extort a ransom. There is currently no indication that the information itself was extracted from WSG’s servers. Nevertheless, given the nature of the affected files, some of which contained individual patient information (names, addresses, dates of birth, social security numbers, insurance contract information and numbers, phone numbers, and medical information, including some highly sensitive medical information), and out of an abundance of caution, WSG’s goal is to mail letters to all impacted individuals recommending that they take immediate steps to protect themselves from any potential misuse of their information.
WSG is taking steps to guard against identity theft or fraud. It has arranged for affected individuals to have AllClear ID protect their identity. The following identity protection services will be available to all impacted individuals upon receipt of written notice mailed to each individual’s last known address. Only those individuals whose information was impacted will receive written notice. These protections can be used at any time during the next 12 months.
Following your enrollment, additional steps are required by you in order to activate your AllClear phone alerts and fraud alerts, and to pull your credit score and credit file. Additional steps may also be required in order to activate your monitoring options.
We also recommend that you regularly review statements from your accounts (i.e., account statements and Explanations of Benefits (“EOB”)) and periodically obtain your credit report from one or more of the national credit reporting companies. You may obtain a free copy of your credit report online at annualcreditreport.com, by calling toll-free 1-877-322-8228, or by mailing an Annual Credit Report Request Form (available at annualcreditreport.com) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281. You may also purchase additional copies of your credit report by contacting one or more of the three nationwide consumer reporting agencies listed below.
When you receive your credit reports, account statements and EOBs, review them carefully. Look for accounts or creditor inquiries, transactions, or services that you did not initiate or do not recognize. Look for information, such as home address and Social Security number, that is not accurate. If you see anything you do not understand, call the consumer reporting agency at the telephone number on the report, the company issuing the account statement, your provider rendering services, or the insurance company issuing your EOB.
We take the protection of your personal information seriously and are taking steps to prevent a similar occurrence. WSG has migrated to a different computer system that has added protections and are training our workforce in safeguards.
You may call 1-877-412-7152 if you have questions. Further information about AllClear’s identity protection services is available on the AllClear website at allclearid.com. We sincerely apologize to you and all of our Healthcare Clients for concern caused by this incident.
UPMC Cole has notified 790 patients treated at UPMC Cole that their personal information may have been inappropriately accessed.
“We apologize for any concern or inconvenience that this may cause for our patients. I want to stress that patient care was never affected,” said UPMC Cole’s President and Senior Executive, Ed Pitchford. “UPMC is committed to meeting our patients’ privacy expectations. We cannot confirm if any of the information was used for improper purposes, but, out of an abundance of caution, we deemed it appropriate to inform those possibly affected by this breach.”
As a result of UPMC Cole’s internal investigation, it was determined that there were two phishing attacks (e-mails sent from an external source that look like they are from a trusted source attempting to obtain sensitive information and often contain links to a phony login page or fake website) on June 7th and June 14th that were discovered through staff reports of the receipt of the e-mails. The phishing attacks were isolated to e-mail accounts and no medical records systems were breached. The following information was discovered in the e-mails to varying degrees for each patient, including patients’ names, dates of birth, scheduling information, types of procedures, names of providers, and other general treatment information. No patient Social Security numbers were accessed during the phishing attacks.
UPMC Cole has notified the U.S. Department of Health and Human Services as required by the Federal Health Insurance Portability and Accountability Act (HIPAA) that the information may have been accessed.
UPMC Cole has sent letters notifying all of the patients affected.
UPMC Cole has provided patients with information on how to place a fraud alert in their files with the three major credit-reporting companies, and has supplied them with links to access identity protection resources available through the Federal Trade Commission. UPMC Cole has also set up a toll-free telephone line with representatives who can answer questions from these patients and respond to any concerns.
UPMC Cole took immediate corrective action by blocking the unwanted access.
“We are committed to keeping patient information secure and strive to continually implement improvements to prevent such an incident from happening again,” Mr. Pitchford said.
UPMC Cole is a regional health system dedicated to the health and wellbeing of over 60,000 residents in Cameron, McKean, Potter and Tioga counties, plus surrounding areas. The system employs more than 800 people including more than 70 healthcare providers practicing evidenced based medicine with a goal of advancing comprehensive health for the citizens of north central PA.