ShareThis Page

UPMC data breach, ID theft more expansive than thought

| Friday, March 7, 2014, 12:14 a.m.

As many as 322 UPMC employees — 300 more than initially reported — have been affected by a data breach and identity theft scheme, the hospital system said on Thursday.

The breach allowed someone to use the employees' personal information to electronically file fraudulent income tax returns.

Officials said they are trying to determine the source of the ID theft and are working with the Internal Revenue Service, FBI, postal inspectors and the Secret Service. The U.S. Attorney's Office in Pittsburgh confirmed it opened an investigation but declined further comment.

“We don't know how many staff ultimately will be impacted,” said Gloria Kreps, a spokeswoman for UPMC, the region's largest employer. “Unfortunately, this type of tax fraud is common and is a national problem.”

In just the first six months of 2013, 1.6 million taxpayers were affected by identity theft, compared with 271,000 for all of 2010, according to a recent audit by the Treasury Department's inspector general.

When a taxpayer who is owed a refund becomes a victim of ID theft and the thief files a return first, the victim can still get his or her money by going through an agency process, said IRS spokeswoman Jennifer Jenkins.

Kreps said UPMC has established a payroll hotline; published information for employees on the company's internal website; hired a tax firm to help employees complete an IRS identity theft form; and will reimburse employees up to $400 to use their own accountant. Additionally, UPMC will provide credit monitoring services to the affected employees and reimburse them if they have to pay for police reports, Kreps said. The hospital system employs more than 62,000.

The breach at UPMC spawned a class-action lawsuit filed last week in Alle­gheny County Common Pleas Court that claims UPMC was negligent by failing to guard the sensitive information in its care.

Michael Kraemer, an attorney representing two UPMC McKeesport employees named in the lawsuit, on Thursday said he has spoken with more than 50 employees who experienced ID theft. Kraemer said the employees are “emotionally distraught trying to handle this mess.”

On Wednesday, Point Park University President Paul Hennigan alerted university employees of a possible breach there after a package from the school's payroll processing vendor was missing reports that may have included names, home addresses, Social Security numbers, wage information, birth dates and bank account and routing numbers.

Hennigan said Point Park is investigating and has not received any indications that the report was stolen or that any information in it has been misused.

Chris DiIenno, a lawyer with Lewis, Brisbois, Bisgaard & Lewis, the Philadelphia-based law firm working with the university and the payroll contractor, said information for up to 1,800 Point Park employees may have been contained in the missing reports.

“Our investigation continues and we continue to make plans to provide a second notice to the affected that will provide them with access to identity monitoring,” DiIenno said.

Adam Brandolph is a staff writer for Trib Total Media. He can be reached at 412-391-0927 or

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.

click me