UPMC experienced a data breach that affected over 27,000 employees. Employee personnel data was stolen from UPMC's document management system and used to file fraudulent tax returns. UPMC is working with federal agencies to determine the source of the breach. Some steps UPMC is taking include establishing a payroll hotline, publishing employee information online, and providing credit monitoring services to affected employees.

1. UPMC Identity Data Breach
Security of employee personnel data is a serious concern in all establishments. Data
breaches cost a company time and money and badly affect public trust and
confidence. The recent identity theft at University of Pittsburgh Medical Center
(UPMC) has affected more than 27,000 of its employees. A spokesperson for UPMC
has confirmed that patient data has not been compromised. Data stolen from UPMC’s
document management system was used to electronically file phony income tax
returns. Such stolen information can be used to claim tax refunds and even to apply
for a job.
How UPMC is Addressing the Data Breach Issue
According to a Triblive report, UPMC is working with federal investigation agencies to
determine the source of the breach. Some of the measures the hospital has taken or
plans to take to deal with the situation include
• Established a payroll hotline
• Published employee information on the company website
• Hired a tax firm to help employees complete an IRS identity theft form
• Plans to reimburse employees up to $400 to use their own accountant
• Providing credit monitoring services to affected employees
• Financial assistance for those who have to pay for police reports
www.managedoutsource.com 800-670-2809

2. Reasons for Personal Data Breach
Employee databases usually contain information such as name, home address, social
security number, wage information, birth date, bank account number, and routing
numbers. Data breaches can occur intentionally or unintentionally. Here are the most
typical reasons for ID thefts from an organization’s information system:
• Human error
• Inappropriate access controls allowing unauthorized use
• Equipment failure
• Hacking attack
• ‘Blagging’ or the use of deceptive means to extract personal data from people
or organizations
• Loss or theft of data or equipment on which data is stored
Avoiding Data Breaches
The company should identify the security risks to personal information that it holds
and the impact of a security breach.
• Policies should be developed on implement measures, practices and
procedures to minimize the identified risks to personal data
• Educate staff and managers in security and fraud awareness, codes of
conduct and security practices and procedures
www.managedoutsource.com 800-670-2809

3. • Access to data should be restricted only to those staff members who have the
necessary clearance
• Access to systems which are no longer in active use and which contain
personal data should be removed.
• Use of strong passwords to protect PC, databases, PC’s, etc from
unauthenticated access
• Personal data of those who retire, resigns, or get transferred should be
removed from the database. If it is in paper it can be scanned and indexed or
stored in a repository internally or a document imaging company with such a
service.
• Monitoring and review – Constant monitoring is necessary to ensure
compliance with the security policy as well as to assess of new security risks
and to examine the adequacy of existing security measures to deal with these
risks
Firms with paper-based documents should switch to secure electronic document
management systems. Voluminous data entry and document scanning and imaging
can be handled by outsourcing the tasks.
www.managedoutsource.com 800-670-2809