The data breach that has compromised the personal information of thousands of UPMC employees and the tax returns of hundreds more could be part of a national scheme.
UPMC confirmed Thursday that a data breach thought to only affect a few dozen employees when announced in February has actually revealed the personal information of approximately 27,000 employees.
Among those employees, 788 have experienced some form of tax fraud and several others have had bank accounts wiped clean, according to Michael Kraemer, a Pittsburgh attorney who has filed a suit seeking class-action litigation against UPMC. The health care organization and its subsidiaries employ approximately 62,000 people.
Questions surrounding how the breach occurred and how long UPMC knew about it before alerting employees have yet to be answered, said Mr. Kraemer.
However, if UPMC were caught up in a scheme that has resulted in the filing of more than $1 million in fraudulent tax returns this year, the company may not have understood the full scale of the data breach until it was too late.
Brian Krebs, a former Washington Post cybersecurity reporter who operates the investigative blog KrebsonSecurity.com, said at least half a dozen health care providers across the nation have been targeted by cybercriminals hacking into third party vendors to access human resources or payroll records.
According to Mr. Krebs, individuals within the payroll or human resources department likely had their computers compromised by malware designed to steal their login and password credentials. Once cybercriminals had the credentials, they would access employees' W2 records through cloud-based third-party vendors that store payroll and personnel information. The criminals then use that information to file the false returns with online tax software.
Mr. Krebs uncovered the scam in March when he came across a Web-based control panel used by criminal gangs to track individuals whose data had been used to file false returns. So far, more than six health care companies have been affected. He did not directly investigate the UPMC incident and could not say for sure if it was affected by that particular breach.
The full report on the breach can be found at: krebsonsecurity.com/2014/04/crimeware-helps-file-fraudulent-tax-returns.
UPMC spokeswoman Gloria Kreps didn't immediately answer questions surrounding whether the organization was affected by the breach Mr. Krebs uncovered.
Once an organization discovers a common denominator is a third-party vendor, there's no quick way to find out every Social Security number that has been compromised.
"It's not like they can just call the IRS and ask them. If they're working with a third-party vendor, they need to work with them to find out which records were accessed and which employees are at risk," Mr. Krebs said.
Regardless of how far UPMC believed the investigation reached, Mr. Kraemer said erring on the side of caution could have saved employees thousands of dollars and weeks of grief. "The minute they confirmed there was a data breach, they should have mitigated the situation. A lot of people could have avoided problems if they knew to contact the IRS in advance to tell them to stop payment on the refund check," he said.
UPMC is encouraging all of its employees to notify their banks and check with the IRS to ensure they have not had fraudulent returns filed in their name. The company also is providing LifeLock identity protection free of charge to employees who enroll in the program by April 28.
To report suspected tax fraud to the IRS, call the Tax Fraud Hotline at 1-800-829-0433 or visit www.irs.gov/Individuals/How-Do-You-Report-Suspected-Tax-Fraud-Activity%3F.
Deborah M. Todd: firstname.lastname@example.org, 412-263-1652 or on Twitter @deborahtodd.