The University of Pittsburgh Medical Center has agreed to pay $450,000 to settle a data breach that compromised information belonging to about 36,000 UPMC patients.
Between April and June 2020, email accounts at UPMC’s legal counsel, Charles J. Hilton PC (CJH), were hacked, with patient names, social security numbers, birth dates, financial account numbers, identification numbers, signatures, medical records and insurance information stolen, reported the National Law Review
UPMC notified patients in December 2020 and again in February 2021, saying that “there is no evidence that this data was misused,” according to the complaint filed.
But lead plaintiff Michael Bowen alleges that the hackers used his information to open up a fraudulent Amazon credit card in his name and that it took significant time to resolve the issue. He asserts that UPMC and CJH failed to use reasonable cybersecurity protocols like adequate firewalls to protect sensitive data. He also says they violated current data security industry standards.
While both companies deny the allegations, they will pay affected members up to $250 each in cash payments for documented expenditures related to the incident and up to $2,500 for documented identity theft losses or fraudulent charges. They also will pay up to $30 for undocumented time spent. UPMC will provide 12 months of free credit monitoring to all affected, reported Health IT Security
UPMC paid another settlement in 2021 of $2.65 million in relation to a data breach in 2014 that affected 66,000 employees. Former Federal Emergency Management Agency (FEMA) IT specialist Justin Sean Johnson hacked into the hospital’s database, stole information belonging to the employees and then sold it on the dark web to cybercriminals, who used it to file false tax returns, according to Infosecurity Magazine
The Department of Justice said that hundreds of false 1040 tax returns were filed in 2014 using UPMC employee PII and that the criminals claimed hundreds of thousands of dollars in false tax refunds, as a result. They used the returns to buy Amazon gift cards, then bought goods with them that they shipped to Venezuela, costing the IRS $1.7 million.