Cyber Incident Victim: Charles J. Hilton & Associates
Date:
Apr 2020
Location:
United States of America
Summary
A cyberattack targeting a law firm providing legal services to UPMC compromised employee email accounts, potentially exposing sensitive personal and health information of over 36,000 patients. Unauthorized access to the firm's systems allowed attackers to obtain data including names, Social Security numbers, financial account details, medical records, insurance identifiers, treatment information, and prescription details. The breach was discovered following an investigation into suspicious email activity, with forensic analysis confirming potential patient data access. While no evidence of misuse was found, affected individuals received notification letters and were offered complimentary credit monitoring and identity-theft protection services. The incident prompted advisories for patients to monitor financial and medical accounts for suspicious activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2020, Charles J. Hilton & Associates (CJH), a Pennsylvania law firm providing billing-related legal services to the University of Pittsburgh Medical Center (UPMC), detected suspicious activity within its employee email system. An investigation revealed unauthorized access to multiple employee email accounts between April 1, 2020, and June 25, 2020. Forensic analysis confirmed the attackers potentially accessed sensitive patient data belonging to UPMC, though the specific intrusion method was not disclosed. By December 2020, CJH formally notified UPMC that the breach might have compromised the personal health information (PHI) of over 36,000 patients. The exposed data included highly sensitive identifiers such as names, dates of birth, Social Security numbers, driver’s license numbers, financial account details, electronic signatures, and medical record numbers. Additionally, attackers accessed medical details like diagnoses, treatments, prescriptions, drug tests, billing claims, disability information, and insurance identifiers, including Medicare/Medicaid numbers and group/subscriber health insurance details.
UPMC publicly disclosed the incident on February 5, 2021, emphasizing no evidence of data misuse but urging vigilance among affected individuals. CJH initiated patient notifications via mailed letters and established a dedicated hotline for inquiries. The firm offered complimentary credit monitoring and identity-theft protection services to impacted patients. Both organizations advised reviewing financial statements, credit reports, and insurance benefit forms for irregularities and promptly reporting suspicious activity to relevant institutions. The breach’s scope was confined to data within CJH’s email systems used for UPMC legal services, with no indication that UPMC’s internal networks were compromised. Containment efforts concluded with the remediation of the email accounts, though the attacker’s identity and motives remained undetermined.