UPMC Susquehanna Notifies Patients to Personal Data Breach

WILLIAMSPORT – UPMC Susquehanna has notified 1,200 patients treated at various UPMC Susquehanna locations that their personal information may have been inappropriately accessed.

“We apologize for any concern or inconvenience that this may cause for our patients. I want to stress that patient care was never affected,”said David Samar, UPMC Susquehanna’s privacy officer. “UPMC is committed to meeting our patients’ privacy expectations. We cannot confirm if any of the information was used for improper purposes, but out of an abundance of caution we deemed it appropriate to inform those possibly affected by this breach.”

The breach was discovered on September 21, 2017, when an employee reported suspicious activity to the information technology staff. As a result of UPMC Susquehanna’s internal investigation, it is believed that through a phishing attack the information — including patients’ names, dates of birth, contact information and Social Security numbers — may have been accessed.

UPMC Susquehanna has notified the U.S. Department of Health and Human Services as required by the federal Health Insurance Portability and Accountability Act (HIPAA) that the information may have been accessed.

UPMC Susquehanna has sent letters notifying all of the patients affected.

The health system has provided patients with information on how to place a fraud alert in their files with the three major credit-reporting companies, and has supplied them with links to access identity protection resources available through the Federal Trade Commission. UPMC Susquehanna has also set up a toll-free telephone line with representatives who can answer questions from these patients and respond to any concerns.

UPMC Susquehanna took immediate corrective action with the staff members involved, including intensive re-training on the applicable policies and laws. In addition, UPMC Susquehanna has completed a comprehensive review of current procedures for keeping patient information secure. Current procedures include a combination of staff education, employment screening and other industry best practices. UPMC Susquehanna requires every staff member to participate in privacy/confidentiality annual education.

“We are committed to keeping patient information secure and strives to continually implement improvements to prevent such an incident from happening again,” Samar said.
More information is available at UPMCSusquehanna.org or UPMC.com.