Data Breach at Legal Service Provider May Have Compromised Health Info of 36,000 Patients in Pittsburgh


The University of Pittsburgh Medical Center (UPMC) is notifying patients of a security incident that may have exposed protected health information (PHI) of over 36,000 individuals.

According to a breach alert on the patient and visitor resources page, patient information was compromised through a security incident at one of the health facility’s billing and legal services providers.

“Charles J. Hilton & Associates P.C. (CJH) is alerting more than 36,000 UPMC patients that some of their personal data may have been inappropriately accessed as the result of an information security breach at the company,” the notice reads. “This event did not occur at UPMC or affect the security of its electronic patient records or other computer systems.”

The CJH noticed suspicious email activity in June 2020. Computer forensic specialists determined that the attackers gained access to employee email accounts for nearly three months, between April 1 and June 25. The medical facility learned of the breach in December.

Highly sensitive patient information accessed

Exposed data could include:

  • Social Security numbers and date of birth
  • Bank or financial account numbers and electronic signatures
  • Driver’s license or state identification card number
  • Medical record numbers, patient account numbers, patient control numbers, visit numbers and trip numbers
  • Medicare or Medicaid identification numbers, individual health insurance or subscriber numbers
  • Group health insurance or subscriber numbers, medical benefits and entitlement information, disability access and accommodation
  • Occupational-health information, diagnosis, symptoms, treatment, prescription or medications, drug tests, billing or claims, and/or disability

Far-reaching implications

PHI is highly desired by cyber thieves, who can use it to commit medical identity theft and tax return fraud in a victim’s name.  Making matters worse, an identity thief would only need a Social Security number to destroy the victim’s financial and physical well-being.

Besides financial losses, individuals could also suffer legal problems due to fraud linked to their information.

Although there has been no evidence of identity theft among patients, individuals should start reviewing account and credit report statements and notify their health or financial institution of any suspicious activity.

Impacted individuals will be provided with free credit monitoring and identity theft protection services to assist in any attempts to misuse personal information.

Were you a victim of a data breach? Time to find out with Bitdefender’s Digital Identity Protection tool.