1,200 patients affected after data breach at UPMC Susquehanna

UPMC Susquehanna officials say it’s business as usual despite a breach of patient records, including Social Security numbers.

The hospital said it notified “1,200 patients treated at various UPMC Susquehanna locations that their personal information may have been inappropriately accessed.”

“We are confident of where we are right now,” UPMC Susquehanna spokesman Tyler Wagner said.

Officials said it was discovered Sept. 21 that personal information was compromised.

It is unknown what, if anything, was done with the data.

“This was an isolated incident,” Wagner said.

Persons victimized by the breach have been notified.

The problem was discovered Sept. 21 when an employee reported suspicious activity.

An internal investigation uncovered what is believed to be a phishing attack that accessed the information — including patients’ names, dates of birth, contact information and Social Security numbers.

“We apologize for any concern or inconvenience that this may cause for our patients. I want to stress that patient care was never affected,” said David Samar, UPMC Susquehanna’s privacy officer. “UPMC is committed to meeting our patients’ privacy expectations. We cannot confirm if any of the information was used for improper purposes, but out of an abundance of caution we deemed it appropriate to inform those possibly affected by this breach.”

Wagner noted this does not mark the first such data breach occurring at a hospital now affiliated with UPMC Susquehanna.

“We had an incident a few years ago at Soldiers and Sailors Memorial Hospital,” he said. “It was a small incident.”

Officials noted that the health system has provided patients with information placing a fraud alert in their files with the three major credit-reporting companies and has supplied them with links to access identity protection resources available through the Federal Trade Commission.

UPMC Susquehanna has set up a toll-free telephone line with representatives to answer questions from patients and respond to any concerns.

In addition, immediate corrective action was taken with the staff members involved, including re-training about policies and laws.

A review of procedures for keeping patient information secure has been completed and every staff member is required to participate in privacy and confidentiality annual education.

“We are committed to keeping patient information secure and strive to continually implement improvements to prevent such an incident from happening again,” Samar said.