The number of UPMC employees that have been affected by a recent data breach at the University of Pittsburgh Medical Center now stands at 322, the hospital system said last week.  That appears to be in addition to more than 1,300 current and former patients the center has also informed of the breach through their notification letter.

The breach allowed someone to use the employees’ and patients’ personal information to electronically file fraudulent income tax returns.  Officials said they are trying to determine the source of the ID theft and are working with the FBI, IRS, postal inspectors, and the Secret Service. The U.S. Attorney’s Office inPittsburgh confirmed it opened an investigation.  The information compromised includes names, dates of birth, contact information, treatment and diagnosis information, and Social Security numbers.

According to the letter, those affected are spread across several UPMC locations.  In a statement, UPMC stressed the stringent protocols they use to keep patient and employee information safe.  They did not give specific details on how the breach occurred, or what steps are being taken to prevent similar incidents in the future. Identity crimes surrounding fraudulent tax returns are unfortunately becoming increasingly common, as a recent report from the Treasury Department’s Inspector General can attest.  According to the audit, in the first six months of 2013, 1.6 million taxpayers were affected by identity theft.  That’s a huge increase in the number of incidences in only a few short years.

In response to the breach, UPMC has established a payroll hotline, published information for employees on the company’s internal website, hired a tax firm to help employees complete an IRS identity theft form, and will reimburse employees up to $400 to use their own accountant. Additionally, UPMC will provide credit monitoring services to the affected employees and reimburse them if they have to pay for police reports.

In the wake of the breach, two former employees have filed suit against the Medical Center.  The three-count lawsuit claims negligence, invasion of privacy and breach of implied contract. According to the language in the suit, plaintiffs allege that UPMC’s computer system allowed for the breach and the company did not reasonably safeguard the sensitive information in its care. The plaintiffs are seeking credit monitoring services for 10 years and unspecified damages, costs and legal fees. Attorney Elizabeth Pollock-Avery from the downtown Pittsburgh firm of Kraemer, Manes & Associates, LLC filed the complaint on behalf of the two plaintiffs.

If you have questions relating to this or any other data breach, please feel free to contact the Identity Theft Resource Center toll-free at (888) 400-5530.  You can also get free information from the website at

“University of Pittsburgh Medical Center the Latest Victim of Data Breach was written by Matt Davis.  Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.