March 5, 2021
On August 8, 2020 UPMC became aware that protected health information may have been inappropriately disclosed as the result of an employee sending a medication administration report to an outside organization without a business need. UPMC immediately initiated an internal investigation upon becoming aware of the issue.
What information was involved?
Through the investigation, UPMC determined that names, internal UPMC identification numbers and medication administration data may have been inappropriately disclosed. “Medication administration data” may include the drug name, dosage, time/date of administration, and reason for administration. Please be assured that neither Social Security Numbers nor medical records were inappropriately accessed/disclosed.
What are we doing?
UPMC has terminated the responsible employee’s access to UPMC Systems, and they are no longer affiliated with UPMC. Upon discovery of this issue, UPMC notified federal authorities of this event. UPMC has also notified the U.S. Department of Health and Human Services Office for Civil Rights, and will notify other regulatory agencies as appropriate.
We are notifying you out of an abundance of caution and so that that you can take any steps that you feel are necessary to monitor your private information. On March 5, 2021 UPMC began mailing letters to affected patients. This letter includes additional resources and information available to affected patients, should they consider them to be necessary. UPMC established a call center and toll-free hotline for affected individuals who wish to request additional information related to this event. The hotline number will be active for 90 days from the date of this notice, and is available Monday through Friday from 9am to 5pm EST. The number to dial is 1-833-814-8363.
Charles J. Hilton & Associates P.C. (CJH) is alerting more than 36,000 UPMC patients that some of their personal data may have been inappropriately accessed as the result of an information security breach at the company, which provides billing-related legal services to UPMC. This event did not occur at UPMC or affect the security of its electronic patient records or other computer systems.
CJH discovered suspicious activity affecting its employee email system in June. On July 21, 2020, the investigation determined that a number of CJH email accounts had been logged into by hackers during the time period of April 1, 2020 to June 25, 2020. After a lengthy investigation by computer forensics specialists, CJH confirmed to UPMC in December that some of UPMC’s patient information may have been accessed in this breach. While there is no evidence that this data was misused, CJH and UPMC are alerting affected patients through personal letters and public notification.
CJH’s investigation determined that its affected email accounts contained various types of information, including Social Security numbers, dates of birth, bank or financial account numbers, driver's license or state identification card numbers, electronic signatures, medical record numbers, patient account numbers, patient control numbers, visit numbers, trip numbers, Medicare or Medicaid identification numbers, individual health insurance or subscriber numbers, group health insurance or subscriber numbers, medical benefits and entitlement information, disability access and accommodation, and information related to occupational-health, diagnosis, symptoms, treatment, prescription or medications, drug tests, billing or claims, and/or disability. CJH is offering credit monitoring and identity protection services to all impacted individuals and has also established a toll-free number for those with additional questions and concerns: 888-724-0238.
CJH and UPMC encourage potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements, credit reports and explanation of benefits forms for suspicious activity and to report any suspicious activity immediately to their insurance company, health care provider or financial institution.
You can obtain information on obtaining a free credit report annually from each of the three major credit reporting bureaus by visiting www.annualcreditreport.com, calling 877-322-8228, or contacting the three major credit bureaus directly at: Equifax, P.O. Box 105069, Atlanta, GA, 30348, 1-800-685-1111, www.equifax.com; Experian, P.O. Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com; TransUnion, P.O. Box 2000, Chester, PA 19016, 800-680-7289, www.transunion.com. Potentially impacted individuals may also find information regarding identity theft, fraud alerts, security freezes and the steps they may take to protect their information by contacting the credit bureaus, the Federal Trade Commission or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should also be reported to law enforcement or the individual’s state Attorney General. UPMC has also notified the U.S. Department of Health and Human Services as required by the federal Health Insurance Portability and Accountability Act (HIPAA).
Individuals seeking additional information may call 888-724-0238 for additional information.