Suspected UPMC Susquehanna Phishing Attack Exposes 1,200 Patients’ PHI

A network of hospitals and medical centers in Williamsport, Wellsboro and Muncy in Pennsylvania, called UPMC Susquehannam has revealed that the protected health information of 1,200 patients has possibly been accessed by unauthorized people. Access to patient information is thought to have been obtained after an worker replied to a phishing email.

While information regarding the breach date have not been published, UPMC Susquehanna says it found the breach on September 21, when a worker reported suspicious activity on their computer. An inquiry was begun which revealed unauthorized people had gained access to that person’s computer.

They have not yet discovered whether the attacker viewed, stole or misused any patient data, but the possibility of data access and misuse could not be ruled out. The information potentially exposed includes names, contact information, dates of birth, and Social Security information.

The individuals possibly impacted by the incident had previously received treatment at a number of UPMC Susquehanna hospitals including Muncy Valley Hospital, UPMC Susquehanna Lock Haven, Sunbury Community Hospital, Soldiers and Sailors Memorial Hospital in Wellsboro, Williamsport Regional Medical Center and Divine Providence Hospital based in Williamsport.

UPMC Susquehanna moved quickly after the breach, terminating access for unauthorized users. Workers have also been undergoing “intensive retraining” on hospital policies and appropriate federal and state legislation to prevent any further breaches occurring. UPMC Susquehanna said this training scheme was in addition to the annual training sessions already provided to all workers on the privacy and confidentiality of patient health information. UPMC Susquehanna has also took steps to a complete review of its policies and procedures for keeping patient information safe from being exposed.

All individuals impacted by the breach incident have been offered free identity theft protection services and have now received notifications via the mail. Patients have also been advised of the steps they can take to enhance the security of their accounts and credit in case their information is accessed.

Author: Maria Perez