UPMC now says the personal information of as many as 27,000 of its employees may have been put at risk by a data breach that was first reported to the health care conglomerate in February.
“As of today, 788 employees have been the victims of tax fraud,” UPMC spokeswoman Gloria Kreps wrote in a statement. “We want to assure our patients that no patient information was breached. We are continuing to work with the IRS, Secret Service and FBI to determine the source of the breach. We continue to urge our employees to register with LifeLock as an important step to deter any additional fraudulent activity.”
The new figure, provided Thursday, was the latest increase by UPMC since employees began reporting instances of identity theft about two months ago.
At first, UPMC said the issue affected only a few dozen employees, then about 322.
“That’s what we were saying all along ... is that there are thousands,” said Michael Kraemer, a Pittsburgh lawyer who has filed a lawsuit seeking class-action status against UPMC for the breach on behalf of employees who had fraudulent bank accounts opened in their name and tax returns stolen. “The message for this huge number of people is you need to keep track of any out-of-pocket expenses and any time you spend dealing with this.”
The lawsuit alleges that vulnerabilities in UPMC’s computer system allowed for the breach and the company did not reasonably safeguard the sensitive information in its care.
In addition to the stolen tax refunds, Mr. Kraemer said he has heard from UPMC employees who say they have had bank accounts drained, though he has not yet been able to independently verify the claims.
He questioned why it has taken UPMC so long to identify the scope of the problem.
“It is extremely concerning that when this story broke in February, the response from UPMC was that ‘It’s OK, only 20 people were affected,’” Mr. Kraemer said. “This is something that arguably they should have known back in February. ... People are now exposed.”
Mr. Kraemer said UPMC sought and received a 30-day extension to respond to his suit, filed Feb. 27, and is still within that window.
The hospital group and its affiliates employee about 62,000 people and Mr. Kraemer said he has heard from employees in every facet of UPMC’s operations.
“Just from the sheer number of people I’ve talked to, I don’t see any department that’s been excluded,” Mr. Kraemer said. “Why isn’t it every single employee?”
A UPMC spokesperson said all employees who could have been potentially affected by the breach have been notified.
After the potential data theft was reported, the company set up a hot line for employees to call about their case, created a “comprehensive employee intranet site with information and resources,” hired a tax firm to help employees file the required IRS identity theft affidavit form and offered reimbursement if the employees have hired someone to do it for them. UPMC also offered credit monitoring services for the affected employees and reimbursement employees for costs associated with filing a police report, it has said.
In a letter, UPMC urged employees to contact their banks and check with the IRS to ensure that tax returns have not been fraudulently filed in their names as well as to prevent the potential for future incidents. UPMC also said it is providing LifeLock identity protection free of charge to employees who enroll by April 28.
“We are putting our full resources behind efforts to investigate and secure our systems,” UPMC Vice President John P. Houston wrote in the letter. “We recognize a situation like this creates stress and anxiety about the safety of your personal information and we want to provide you with all the tools and resources we can to help you deal with this all-too-common crime.”
Robert Zullo: firstname.lastname@example.org or 412-263-3909. Twitter: @rczullo.