“We apologize for any concern or inconvenience that this may cause for our patients. I want to stress that patient care was never affected,” said UPMC Cole’s President and Senior Executive, Ed Pitchford. “UPMC is committed to meeting our patients’ privacy expectations. We cannot confirm if any of the information was used for improper purposes, but, out of an abundance of caution, we deemed it appropriate to inform those possibly affected by this breach.”
As a result of UPMC Cole’s internal investigation, it was determined that there were two phishing attacks (e-mails sent from an external source that look like they are from a trusted source attempting to obtain sensitive information and often contain links to a phony login page or fake website) on June 7th and June 14th that were discovered through staff reports of the receipt of the e-mails. The phishing attacks were isolated to e-mail accounts and no medical records systems were breached. The following information was discovered in the e-mails to varying degrees for each patient, including patients’ names, dates of birth, scheduling information, types of procedures, names of providers, and other general treatment information. No patient Social Security numbers were accessed during the phishing attacks.
UPMC Cole has notified the U.S. Department of Health and Human Services as required by the Federal Health Insurance Portability and Accountability Act (HIPAA) that the information may have been accessed.
UPMC Cole has sent letters notifying all of the patients affected.
UPMC Cole has provided patients with information on how to place a fraud alert in their files with the three major credit-reporting
UPMC Cole took immediate corrective action by blocking the unwanted access.
“We are committed to keeping patient information secure and strive to continually implement improvements to prevent such an incident from happening again,” Mr. Pitchford said.