HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Account Breach at Law Firm Affects More Than 36,000 UPMC Patients

University of Pittsburgh Medical Center (UPMC) has announced the protected health information of more than 36,000 patients has potentially been accessed by unauthorized individuals following a cyberattack on a company that provides billing-related legal services to UPMC.

In June 2020, Charles J. Hilton & Associates P.C. (CJH) discovered suspicious activity in its employee email system and launched an investigation. On July 21, 2020, CJH determined that hackers had gained access to the email accounts of several of its employees between April 1, 2020 and June 25, 2020.

Computer forensics specialists conducted an extensive investigation into the incident to determine which information was accessed or obtained by the hackers. UPMC said it received a notification about the breach in December 2020 confirming patient information may have been accessed by the hackers. Notification letters are now being sent by CJH to all patients potentially affected by the breach. UPMC said none of its systems, including its electronic medical record system, were affected, and the only information involved was patient information provided to CJH to provide its contracted billing-related legal services.

CJH said the compromised accounts contained names, dates of birth, Social Security numbers, bank or financial account numbers, driver’s license numbers, state identification card numbers, electronic signatures, medical record numbers, patient account numbers, patient control numbers, visit numbers, trip numbers, Medicare or Medicaid identification numbers, individual health insurance or subscriber numbers, group health insurance or subscriber numbers, medical benefits and entitlement information, disability access and accommodation, and information related to occupational-health, diagnosis, symptoms, treatment, prescription or medications, drug tests, billing or claims, and/or disability.

Please see the HIPAA Journal Privacy Policy

CJH is offering complimentary membership to credit monitoring and identity theft protection services to affected individuals. The Department of Health and Human Services’ Office for Civil Rights Breach Portal shows 36,086 individuals were affected.

UPMC Health Plan Phishing Incident Impacts 19,000 Members

19,000 members of UPMC Health Plan are being notified that some of their protected health information has potentially been compromised. An email account of a UPMC Health Plan employee was accessed by an unauthorized individual on December 8, 2020. UPMC Health Plan was notified about the breach the following day.

The information stored in the compromised email account only included names, dates of birth, parent/guardian names, and limited clinical information, including dental provider and procedure information. No evidence was found to indicate any plan member information has been misused.

This phishing attack does not appear to be in any way connected to the phishing attack at Charles J. Hilton & Associates P.C.

Nevada Health Centers Alerts Patients About Email Account Breach

Nevada Health Centers has announced that the protected health information of some of its patients has potentially been compromised. Between November 20 and December 7, 2020, an unauthorized individual remotely logged into an employee’s email account that contained patient information.

The person who logged into the account appeared to be based overseas, with one of the login attempts made using a South African IP address. The attack appears to have been conducted to obtain financial information about Nevada Health Centers rather than patient health data, although it is possible that patient information was viewed or obtained in the attack. Nevada Health Centers said no evidence of PHI access or theft has been found.

The compromised email account was discovered to contain patient names in combination with one or more of the following types of information: Address, phone number, date of birth, gender, ethnicity, race, insurance information, appointment information, medical record number, provider name, service location(s). It is currently unclear how many patients have been affected by the breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.