UPMC said today that an identity theft and tax fraud case affecting its employees has grown from a few dozen to more than 300 in the last week, and has affected staff in at least two additional hospitals.
Despite that, though, UPMC said in a statement it still does not know how the personal information was stolen.
A week ago, UPMC reported that it only knew of 22 employees who were affected by the identify theft, in which criminals apparently got a hold of social security numbers and illegally filed for electronic tax refunds for those employees, using an online bank to receive the funds.
UPMC employees told the Post-Gazette then that they believed many more than 22 employees were affected in at least two buildings: UPMC McKeesport and Magee Women's Hospital of UPMC in Oakland.
Today, UPMC said the Internal Revenue Service has told the healthcare company that 322 UPMC employees are now known to be affected.
UPMC also confirmed that employees in two additional hospital buildings -- the two campuses that comprise UPMC Presbyterian-Shadyside -- have been affected.
After some employees last week criticized UPMC for its slow response to the situation, UPMC said since then it has:
- Set up a hot line for employees to call about their case;
- Created a "comprehensive employee intranet site with information and resources";
- Hired a tax firm to help employees file the required IRS identity theft affidavit form, and offered up to $400 reimbursement if the employees have hired someone to do it for them;
- Offered credit monitoring services for the affected employees;
- Offered to reimburse employees for costs associated with filing a police report.
According to employees and family of employees, here is how the scam was set-up:
First, after somehow obtaining employees' personal identification information, an online bank account with Ally Bank was established in the employees' names.
Then, that same personal information was used to file phony IRS tax forms requesting that a tax refund be sent electronically to the Ally Bank accounts. Ally Bank said that it is cooperating the IRS and law enforcement in the investigation.
It is a version of a common crime that the U.S. Department of Justice has dubbed stolen identity refund fraud, or SIRF.
Employees discovered the fraud when they would receive a letter in the mail from Ally Bank confirming that they had either established a new online account, or recently changed the mailing address for correspondence for their online account.
While it has yet to figure out how the data breach occurred, UPMC said: "UPMC is continuing to aggressively investigate this situation, and we are cooperating fully with the IRS, FBI, Secret Service, and police."
The U.S. Attorney's office in Pittsburgh is investigating the case.
Sean D. Hamill: firstname.lastname@example.org or 412-263-2579