On July 6, 2019, we first learned that an unauthorized person gained access to a limited number of employee email accounts beginning on July 2, 2019 and continuing through July 15, 2019. We immediately secured the accounts, began an investigation, and a leading computer forensic firm was hired to assist.
The investigation was unable to determine whether the unauthorized person actually viewed any emails or attachments in the accounts. We reviewed the emails and attachments in the accounts to identify patients whose information may have been accessible to the unauthorized person.
From this review, patient information was identified in one or more of the email accounts, including patient names, dates of birth, patient account and/or medical record numbers, health insurance information and clinical information, which may have included dates of service, provider names, and diagnostic, treatment, surgical, and/or prescription information. In limited instances, patients’ Social Security numbers were also found in the accounts.
We have no indication that any patient information was actually viewed by the unauthorized person, or that it has been misused. However, out of an abundance of caution, we began mailing letters to affected patients on January 31, 2020, and have established a dedicated call center for patients to call with questions. If any patients have questions about this incident, please call 1-833-496-0187, Monday through Friday, 9:00 a.m. to 6:30 p.m. Eastern Time.
We recommend that our patients review any statements they receive from their healthcare providers and health insurers. If you see any services that you did not receive, please contact the provider or insurer immediately. For eligible patients whose Social Security number was found in the email accounts, we are offering complimentary credit monitoring and identity protection services.
We deeply regret any inconvenience or concern this incident may cause you. To help prevent something like this from happening in the future, we reset all employee passwords, limited external email access, blocked access to malicious sites and IP addresses identified through the investigation of this incident, increased monitoring of network activity, continued to educate users on how to identify and avoid malicious emails, and added additional authentication measures for remote email access.
This statement was originally issued in September 2019 and updated February 2020.