Cyber Incident Victim: University of Pittsburgh Medical Center
Date:
Apr 2014
Location:
United States of America
Summary
A healthcare organization experienced a data breach compromising personal information of up to 27,000 employees, with at least 788 confirmed victims of tax fraud linked to the incident. Unauthorized access exposed Social Security numbers and other sensitive details, prompting collaboration with federal agencies including the IRS and Secret Service for investigation. The organization provided identity-theft protection services, tax assistance, and financial reimbursement to affected workers while maintaining patient data remained secure. A class-action lawsuit alleged negligence in managing confidential information amid ongoing inquiries into the breach's origins.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The University of Pittsburgh Medical Center (UPMC) disclosed a significant data breach in 2014 affecting employee information, with unauthorized access potentially compromising personal details of up to 27,000 workers—more than a third of its 62,000-person workforce. The incident initially came to light in February when UPMC identified fraudulent tax filings under the names of at least 22 employees. By March, projections suggested up to 322 workers might be impacted, but updated figures in April confirmed at least 788 employees had fallen victim to tax fraud. The breach involved theft of Social Security numbers and other sensitive data used to file false federal tax returns, though patient data remained unaffected. UPMC alerted federal authorities immediately upon confirming the unauthorized access, initiating collaboration with the Internal Revenue Service, Secret Service, and Postal Inspection Service. The U.S. Attorney for Western Pennsylvania described the investigation as complex but provided no further specifics due to its ongoing status.
UPMC responded by issuing advisory letters to affected employees, urging them to notify banks and the Federal Trade Commission while offering free enrollment in identity-theft protection services. The health system established a dedicated payroll hotline, retained a tax firm to assist with IRS identity theft forms, and offered reimbursements of up to $400 for employees using private accountants. Despite these measures, a class-action lawsuit filed in Allegheny Common Pleas Court alleged negligence in UPMC’s handling of sensitive data. UPMC emphasized the prevalence of identity theft, citing federal data showing 1.6 million taxpayers affected in the first half of 2013—a sharp increase from 271,000 cases in 2010. The breach’s exact origin remained unclear, and UPMC could not confirm how many employees had successfully recovered stolen tax refunds through IRS procedures. Concurrently, Point Park University in Pittsburgh reported a separate potential breach involving worker Social Security numbers, wage details, and bank account information in March 2014.