[BreachExchange] UPMC Susquehanna notifies patients of data breach

[Destry Winant]

http://www.dailyitem.com/news/upmc-susquehanna-notifies-patients-of-data-breach/article_ee1b32c6-cbb6-11e7-97e6-bf68278e1b03.html

UPMC Susquehanna has notified 1,200 patients treated at various UPMC
Susquehanna locations that their personal information — including
names, dates of birth, contact information and Social Security numbers
— may have been inappropriately accessed.

In a release sent out Friday morning, UPMC Susquehanna privacy officer
David Samar said health care system apologized for the breach. “We
apologize for any concern or inconvenience that this may cause for our
patients. I want to stress that patient care was never affected. UPMC
is committed to meeting our patients’ privacy expectations. We cannot
confirm if any of the information was used for improper purposes, but
out of an abundance of caution we deemed it appropriate to inform
those possibly affected by this breach.”

The breach was discovered on Sept. 21, when an employee reported
suspicious activity to the information technology staff. As a result
of UPMC Susquehanna’s internal investigation, it is believed that
through a phishing attack the information may have been accessed.

UPMC Susquehanna has notified the U.S. Department of Health and Human
Services as required by the federal Health Insurance Portability and
Accountability Act (HIPAA) that the information may have been
accessed.

UPMC took over Sunbury Community Hospital on Oct. 1. There is no
initial word if any patients in Sunbury were impacted.

"The 1,200 patients were scattered throughout our coverage area. We
are unable at this time to give out any specifics about who was
affected individually," said UPMC spokesman Tyler Wagner.

UPMC Susquehanna has sent letters notifying all of the patients affected.

"This was an isolated incident and we have been in contact with or are
in the process of contacting those who were affected," said Wagner.

According the news release, UPMC has provided patients with
information on how to place a fraud alert in their files with the
three major credit-reporting companies, and has supplied them with
links to access identity protection resources available through the
Federal Trade Commission.

“We are committed to keeping patient information secure and strives to
continually implement improvements to prevent such an incident from
happening again,” Samar said.

UPMC Susquehanna recently took over operations at the Sunbury
Community Hospital, renaming the entity UPMC Susquehanna Sunbury.

This isn't the first data breach affiliated with the hospital. In
2014, a massive data breach at the Sunbury Community Hospital's parent
company at the time (Tennessee-based Community Health Systems) led to
the theft of information about an unspecified number of patients
treated at Sunbury Community Hospital and affiliates. Community Health
Systems notified the U.S. Securities and Exchange Commission that
company officials believed an “external, criminal cyber attack” from
Chinese hackers  breached names, addresses, birth dates, telephone
numbers and Social Security numbers of 4.5 million patients across the
United States.

Additional specifics about the UPMC Susquehanna breach are not
available at this time.