Ride the Lightning

Law Firm Data Breach Compromises Medical Health Data in Pittsburgh

February 10, 2021

Infosecurity reported on February 8 that a cyberattack on law firm Charles J. Hilton & Associates P.C. (CJH) has potentially exposed the personal health information (PHI) of more than 36,000 patients of University of Pittsburgh Medical Center (UPMC).

CJH, a provider of legal services to UPMC, discovered suspicious activity in its employee email system in June 2020. An investigation determined that hackers had gained access to several employee email accounts between April 1, 2020, and June 25, 2020.

In December 2020, UPMC received a breach notification report from CJH confirming that whoever hacked into the email accounts may have accessed patient data. CJH is now is now writing to all patients who may have been affected.

Patient information compromised in the attack consisted of data used by CJH to provide its contracted billing-related legal services to UPMC.

The data exposed includes names, dates of birth, Social Security numbers, bank or financial account numbers, driver's license numbers, state identification card numbers, electronic signatures, medical record numbers, patient account numbers, patient control numbers, visit numbers and trip numbers.

Hackers could also access Medicare or Medicaid identification numbers, individual health insurance or subscriber numbers, group health insurance or subscriber numbers, medical benefits and entitlement information, disability access and accommodation, and information related to occupational health, diagnosis, symptoms, treatment, prescriptions or medications, drug tests, billing or claims, and/or disability.

"After a lengthy investigation by computer forensics specialists, CJH confirmed to UPMC in December that some of UPMC's patient information may have been accessed in this breach," stated UPMC in a notice posted February 5.

"While there is no evidence that this data was misused, CJH and UPMC are alerting affected patients through personal letters and public notification."

Complimentary credit monitoring and identity-theft protection services are being offered by CJH to patients whose data was compromised. The company has also established a hotline for people to call to voice their concerns.

UPMC and CJH are both suggesting that potentially impacted individuals review account statements, credit reports, and explanation of benefits forms looking for suspicious activity and asking them to report any suspicious activity promptly to their insurance company, health care provider, or financial institution.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson