The letter dozens of UPMC employees got in the mail in the past two weeks from Web-based banker Ally Bank seemed innocuous.
It either casually noted that the person had either opened a new account or changed the address of an existing account.
"I thought it was just junk mail, an attempt to get us to call so we would open an account," the spouse of one UPMC employee said in an interview. "I told [my spouse] to throw it away."
But the UPMC employee did not throw it away and instead called Ally Bank, who was stunned to learn that someone had created an online account using a real Social Security number and other information.
"That's when it got scary," the spouse said.
When the employee went to work the next day and mentioned the situation to fellow employees, the employee quickly found out there were dozens of other workers in the same situation.
Employees warned each other, though, to also call the Internal Revenue Service to see if someone had tried to file a fraudulent tax return with the employee's information so the IRS would then electronically file a tax refund to the fraudulent Ally Bank account.
It turned out that happened to this employee and dozens of other UPMC employees in at least two UPMC hospitals: UPMC McKeesport and Magee-Womens Hospital of UPMC in Oakland.
The discovery of the fraud scheme apparently involving so many workers is now the subject of a federal investigation, said a spokeswoman for the U.S. attorney's office in Pittsburgh.
UPMC said it has been in touch with investigators from the Secret Service, postal inspectors and the IRS.
Ally Bank said in a statement: "If a consumer believes an unauthorized account has been opened in their name, Ally Bank's security and fraud units will work with the appropriate authorities to investigate the matter and make the maximum recovery of any misappropriated funds."
What is happening to the employees is apparently a now common version of a crime that the U.S. Department of Justice has dubbed stolen identity refund fraud, or SIRF.
UPMC said in a statement Wednesday that it believed 22 employees were "victimized" in a "common fraud scheme during tax season."
But one employee and two spouses of affected employees contacted by the Post-Gazette all believed the number of affected UPMC employees is much higher, including at least two dozen or more at UPMC McKeesport alone.
In response, UPMC has been offering employees seven years of identity protection from a private company, an employee said, but UPMC still has not put out a general warning to all of its employees.
Employees were angered and concerned, not only because they believe UPMC has moved too slowly in response to the stories that were passed on to supervisors, but because UPMC did not want to admit what seemed obvious to them.
"At first they said that [the personal identification breach] was probably because of some post office carrier," said the spouse of another employee. "Then they said it was probably because of a breach with the [hospital employee] union's information. But, come on, just admit it: It probably had something to do with UPMC."
Another UPMC employee said: "I mean, someone has reached into our [personal UPMC] accounts here, don't you think? We all do."
UPMC said in an email answer to questions that, "At this time, we do not know the cause of the breach."
Sean D. Hamill: email@example.com or 412-263-2579. First Published February 26, 2014 1:42 PM