UPMC settles 2020 data breach lawsuit for $450,000

by John R. Fischer, Senior Reporter | June 29, 2022

Hackers stole information on 36,000 patients from email accounts at Charles J. Hilton PC, the legal counsel for UPMC.

The University of Pittsburgh Medical Center has agreed to pay $450,000 to settle a data breach that compromised information belonging to about 36,000 UPMC patients.

Between April and June 2020, email accounts at UPMC’s legal counsel, Charles J. Hilton PC (CJH), were hacked, with patient names, social security numbers, birth dates, financial account numbers, identification numbers, signatures, medical records and insurance information stolen, reported the National Law Review.

UPMC notified patients in December 2020 and again in February 2021, saying that “there is no evidence that this data was misused,” according to the complaint filed.

Reveal Mobi Pro now available for sale in the US

Reveal Mobi Pro integrates the Reveal 35C detector with SpectralDR technology into a modern mobile X-ray solution. Mobi Pro allows for simultaneous acquisition of conventional & dual-energy images with a single exposure. Contact us for a demo at no cost.

But lead plaintiff Michael Bowen alleges that the hackers used his information to open up a fraudulent Amazon credit card in his name and that it took significant time to resolve the issue. He asserts that UPMC and CJH failed to use reasonable cybersecurity protocols like adequate firewalls to protect sensitive data. He also says they violated current data security industry standards.

While both companies deny the allegations, they will pay affected members up to $250 each in cash payments for documented expenditures related to the incident and up to $2,500 for documented identity theft losses or fraudulent charges. They also will pay up to $30 for undocumented time spent. UPMC will provide 12 months of free credit monitoring to all affected, reported Health IT Security.

UPMC paid another settlement in 2021 of $2.65 million in relation to a data breach in 2014 that affected 66,000 employees. Former Federal Emergency Management Agency (FEMA) IT specialist Justin Sean Johnson hacked into the hospital’s database, stole information belonging to the employees and then sold it on the dark web to cybercriminals, who used it to file false tax returns, according to Infosecurity Magazine.

The Department of Justice said that hundreds of false 1040 tax returns were filed in 2014 using UPMC employee PII and that the criminals claimed hundreds of thousands of dollars in false tax refunds, as a result. They used the returns to buy Amazon gift cards, then bought goods with them that they shipped to Venezuela, costing the IRS $1.7 million.

Back to HCB News



You Must Be Logged In To Post A Comment Sign In If you've already created an account, use your email address and password to sign in using the form below. Login Problems: Click here if you are having login issues. Email address: Password: Forgot your password? Login Problems? View our Legal Notice and Privacy Notice Register Registration is Free and Easy. Enjoy the benefits of The World's Leading New & Used Medical Equipment Marketplace. Register Now!