UPMC and Charles Hilton Sued Over PHI Breach

Cyber Security News

A Pennsylvania medical center and its legal services provider are facing a class-action lawsuit over a data breach that exposed the protected health information (PHI) of more than 36,000 patients.

The breach occurred last year when hackers gained access to several email accounts belonging to employees of law firm Charles J. Hilton & Associates P.C. (CJH). An investigation revealed that the attackers had access to the accounts between April 1 and June 25, 2020.

CJH provides billing-related legal services to the University of Pittsburgh Medical Center (UPMC). In December 2020, CJH notified UPMC of the breach and confirmed that the threat actors may have accessed UPMC patient data.

Information exposed in the breach included names, dates of birth, Social Security numbers, bank or financial account numbers, driver’s license numbers, state identification card numbers, electronic signatures, medical record numbers, patient account numbers, patient control numbers, visit numbers, and trip numbers.

Furthermore, the threat actors gained unauthorized access to Medicare or Medicaid identification numbers, individual health insurance or subscriber numbers, group health insurance or subscriber numbers, medical benefits and entitlement information, disability access and accommodation, and information related to occupational health, diagnosis, symptoms, treatment, prescriptions or medications, drug tests, billing or claims, and/or disability.

A lawsuit, brought by lead plaintiff Vince Ranalli, accuses UPMC and CJH of a number of violations including negligence, invasion of privacy, and failure to secure patients’ PHI.

In the weeks following the breach, Ranalli said that his bank contacted him to advise him that his name had been used to open an unauthorized account.

“They opened it with my Social Security number, my driver’s license, my address,” said Ranalli in an interview with Action 4 News. “They pretty much had all of my personal information.”

Ranalli added that the data breach had also impacted his father, who had received four credit cards that he had not applied for after his data was exposed.

Filer of the lawsuit, Joshua P. Ward of J.P. Ward & Associates, said: “We’re seeking to curtail the problem, identify all the people affected, recover monies for them to the extent they’re entitled and to protect their information.”