WILLIAMSPORT — UPMC Susquehanna has notified 1,200 patients treated at various UPMC Susquehanna locations that their personal information — including names, dates of birth, contact information and Social Security numbers — may have been inappropriately accessed.
In a release sent out Friday morning, UPMC Susquehanna privacy officer David Samar said health care system apologized for the breach. “We apologize for any concern or inconvenience that this may cause for our patients. I want to stress that patient care was never affected. UPMC is committed to meeting our patients’ privacy expectations. We cannot confirm if any of the information was used for improper purposes, but out of an abundance of caution we deemed it appropriate to inform those possibly affected by this breach.”
The breach was discovered on Sept. 21, when an employee reported suspicious activity to the information technology staff. As a result of UPMC Susquehanna’s internal investigation, it is believed that through a phishing attack the information may have been accessed.
UPMC Susquehanna has notified the U.S. Department of Health and Human Services as required by the federal Health Insurance Portability and Accountability Act (HIPAA) that the information may have been accessed.
UPMC took over Sunbury Community Hospital on Oct. 1. There is no initial word if any patients in Sunbury were impacted.
"The 1,200 patients were scattered throughout our coverage area. We are unable at this time to give out any specifics about who was affected individually," said UPMC spokesman Tyler Wagner.
UPMC Susquehanna has sent letters notifying all of the patients affected.
"This was an isolated incident and we have been in contact with or are in the process of contacting those who were affected," said Wagner.
According the news release, UPMC has provided patients with information on how to place a fraud alert in their files with the three major credit-reporting companies, and has supplied them with links to access identity protection resources available through the Federal Trade Commission.
“We are committed to keeping patient information secure and strives to continually implement improvements to prevent such an incident from happening again,” Samar said.
UPMC Susquehanna recently took over operations at the Sunbury Community Hospital, renaming the entity UPMC Susquehanna Sunbury.
This isn't the first data breach affiliated with the hospital. In 2014, a massive data breach at the Sunbury Community Hospital's parent company at the time (Tennessee-based Community Health Systems) led to the theft of information about an unspecified number of patients treated at Sunbury Community Hospital and affiliates. Community Health Systems notified the U.S. Securities and Exchange Commission that company officials believed an “external, criminal cyber attack” from Chinese hackers breached names, addresses, birth dates, telephone numbers and Social Security numbers of 4.5 million patients across the United States.
Additional specifics about the UPMC Susquehanna breach are not available at this time.