25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

UPMC and Charles Hilton and Associates Facing Class Action Lawsuit Over 36,000-Record Breach

Posted By on Mar 23, 2021

University of Pittsburgh Medical Center (UPMC) and the law firm Charles Hilton and Associates are facing a class action lawsuit over a breach of the protected health information of 36,000 UPMC patients.

Charles Hilton and Associates, which handles collections for UPMC, announced that hackers had gained access to the email accounts of some of its employees between April and June 2020. The investigation revealed the compromised accounts contained the protected health information of UPMC patients, some of which was potentially viewed or obtained by the attackers.

The accounts contained a wide range of data including names, dates of birth, Social Security numbers, bank account information, driver’s licenses, health insurance information, and state ID card numbers. UPMC stated in its breach notice that no reports had been received to suggest information in the compromised accounts had been misused; however, the lawsuit alleges the plaintiffs’ personal and protected health information was obtained and used to open accounts in their names.

Lead plaintiff, Vince Ranalli, received a letter from his bank weeks after the breach informing him that an unauthorized account had been opened in his name. “They opened it with my Social Security number, my driver’s license, my address. They pretty much had all of my personal information,” said Ranalli in an interview with Action 4 News. He also said his father, who had also been affected by the breach, had received multiple credit cards that he had not applied for.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit accuses UPMC and Charles Hilton and Associates of negligence for failing to secure the personal and protected health information of patients, invasion of privacy, and other violations. The lawsuit was filed by Joshua P. Ward of J.P. Ward & Associates, who said in a statement, “We’re seeking to curtail the problem, identify all the people affected, recover monies for them to the extent they’re entitled and to protect their information.”

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist