UPMC Susquehanna Patients’ PHI Exposed Due to Phishing Attack


The protected health information of 1,200 UPMC Susquehanna patients has potentially been exposed to unauthorized persons. UPMC Susquehanna is a network of hospitals and medical facilities in Muncy, Pennsylvania and Williamsport, Wellsboro. According to the report, an employee responded to a phishing email, which paved the way to unauthorized access of the PHI.

No specific details have been disclosed regarding the breach except that it was discovered on September 21 because of suspicious computer activity reported by an employee. Further investigation revealed that the computer has already been accessed by unauthorized persons.

There’s no report yet regarding the actions taken by the attacker, whether he viewed, stole or misused patient information, so any data misuse could be possible. The data the attacker has potential access to include patient names, dates of birth, contact numbers and Social Security numbers.

Patients that may have been impacted by the data breach include those that received treatment at any UPMC Susquehanna hospital in the past. The list of UPMC Susquehanna hospitals affected by the breach includes UPMC Susquehanna Lock Haven, Muncy Valley Hospital, Sunbury Community Hospital, Williamsport Regional Medical Center, Soldiers and Sailors Memorial Hospital in Wellsboro, and Divine Providence Hospital in Williamsport.

Because of the incident, UPMC Susquehanna did what it could quickly to terminate unauthorized access. Hospital employees underwent “intensive retraining” and tackled hospital policies and federal/state laws to make sure similar incidents will not recur. A review of policies and procedures for patient information security was also conducted. This training was in addition to the staff training on privacy and confidentiality of PHI.

In addition to the mail notifications regarding the breach sent to all affected patients, UPMC Susquehanna also offered free identity theft protection services. The patients also got special instructions in case their accounts and information have actually been misused.