Primary Health Care, Inc. – Notice of Data Security Event

Primary Health Care Inc. (“PHC”) is providing notice of an incident that occurred at PHC and may affect the security of protected health information of certain PHC patients.  While PHC is unaware of any actual or attempted misuse of the information, this notice contains details about the incident and PHC’s response, as well as steps impacted individuals can take to protect their information, should they feel it appropriate to do so.

What Happened?  On March 1, 2017, PHC discovered that the email accounts of four of its employees had been subject to unauthorized access on February 28, 2017.  PHC immediately terminated the unauthorized access and began an investigation which included a review of the contents of the email account for protected information.  A forensic investigator was hired to confirm the scope of the unauthorized access to the email accounts and the related Google drives.  Unfortunately, PHC is unable to confirm what emails within the account, if any, were subject to unauthorized access.  Therefore, the forensic investigator reviewed all four email accounts and Google drives to determine what protected health information they may have contained.  Though it has no evidence that any emails were subject to unauthorized access, in an abundance of caution, PHC is providing notice to potentially affected individuals.

What Information Was Involved?  The patient information located in one of the email accounts or Google drives and therefore potentially subject to unauthorized access includes a combination of patient name, phone number, Social Security number, driver’s license number, financial account number, credit/debit card number, date of service, diagnosis and treatment information, medical history, facility and provider visited, health insurance/payor information and, if applicable, Medicaid identification number.  PHC currently has no evidence of any actual or attempted misuse of patient information as a result of this incident.

What We Are Doing.  The confidentiality, privacy, and security of patient information is one of PHC’s highest priorities.  PHC has stringent security measures in place to protect the security of information in its possession.  In addition, as part of our ongoing commitment to the security of protected health information in its care, PHC is working to implement additional safeguards and security measures to enhance the privacy and security of information on its systems.  PHC is notifying the affected individuals and will be reporting this incident to the U.S. Department of Health and Human Services (HHS).

As an added precaution, PHC has arranged to have AllClear ID provide 12 months of identity protection services starting on the date of the notice to the affected individuals.

What You Can Do.  You can review your credit card and bank account statements, explanation of benefits forms and credit reports for suspicious activity.  Report such activity to your bank, credit card issuer or health insurance company.  You can also review the Steps You Can Take to Protect Your Information below.

For More Information.  PHC understands that patients may have questions about this incident that are not addressed in this notice. If you have additional questions, you can contact PHC at (855) 303-9813.

PHC sincerely regrets any inconvenience this incident has caused.

Steps You Can Take to Protect Your Information.

We encourage potentially affected individuals to remain vigilant against incidents of identity theft and fraud, to review their account statements, and to monitor their credit reports and explanation of benefits forms for suspicious activity. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of your credit report.

At no charge, you can also have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it may also delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.

Equifax

P.O. Box 105069

Atlanta, GA 30348

800-525-6285

www.equifax.com

Experian

P.O. Box 2002

Allen, TX 75013

888-397-3742

www.experian.com

 

TransUnion

P.O. Box 2000

Chester, PA 19106

800-680-7289

www.transunion.com

 

You may also place a security freeze on your credit reports. A security freeze prohibits a credit bureau from releasing any information from a consumer’s credit report without the consumer’s written authorization. However, please be advised that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services. If you have been a victim of identity theft and you provide the credit bureau with a valid police report, it cannot charge you to place, lift, or remove a security freeze. In all other cases, a credit bureau may charge you a fee to place, temporarily lift, or permanently remove a security freeze.  Fees vary based on where you live, but commonly range from $3 to $15.  You will need to place a security freeze separately with each of the three major credit bureaus listed above if you wish to place a freeze on all of your credit files. In order to request a security freeze, you will need to supply your full name, address, date of birth, Social Security number, current address, all addresses for up to five previous years, email address, a copy of your state identification card or driver’s license, and a copy of a utility bill, bank or insurance statement, or other statement proving residence. To find out more on how to place a security freeze, you can use the following contact information:

 

Equifax Security Freeze

P.O. Box 105788

Atlanta, GA 30348

1-800-685-1111

www.freeze.equifax.com

Experian Security Freeze

P.O. Box 9554

Allen, TX 75013

1-888-397-3742

www.experian.com/freeze/

 

TransUnion

P.O. Box 2000

Chester, PA 19016

1-888-909-8872

freeze.transunion.com

 

You can further educate yourself regarding identity theft, security freezes, fraud alerts, and the steps you can take to protect yourself against identity theft and fraud by contacting the Federal Trade Commission or your state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261.  The Federal Trade Commission encourages those who discover that their information has been misused to file a complaint with them.  Instances of known or suspected identity theft should be reported to law enforcement, the Federal Trade Commission, and your state Attorney General.  This notice has not been delayed as the result of a law enforcement investigation.

Primary Health Care, Inc. – Aviso de un evento de seguridad de datos

Primary Health Care Inc. (“PHC”) por este medio notifica sobre un incidente que ocurrió en PHC y que puede afectar la seguridad de la información protegida de salud de algunos pacientes de PHC. Si bien PHC no tiene conocimiento de ningún intento de uso indebido o de un uso indebido real de la información, este aviso contiene detalles acerca del incidente y la respuesta de PHC ante esta eventualidad, así como las medidas que pueden tomar las personas afectadas para proteger su información, si consideran oportuno hacerlo.

¿Qué sucedió? El 1 de marzo de 2017, PHC descubrió que las cuentas de correo electrónico de cuatro de sus empleados habían sido objeto de acceso no autorizado, ocurrido el 28 de febrero de 2017. PHC inmediatamente suspendió el acceso no autorizado a estas cuentas de correo electrónico y comenzó una investigación que incluyó una revisión de su contenido, en busca de información protegida. Se contrató a un investigador forense para que confirmara el alcance del acceso no autorizado a las cuentas de correo electrónico y los Google Drive relacionados con estos. Lamentablemente, PHC no puede confirmar qué correos electrónicos dentro de la cuenta, si los hubo, estuvieron sujetos a un acceso no autorizado. Por lo tanto, el investigador forense revisó las cuatro cuentas de correo electrónico y los Google Drive para determinar qué información protegida de salud podrían haber contenido. A pesar de que no tiene evidencia de que alguno de los correos electrónicos haya estado sujeto a un acceso no autorizado, como medida de precaución, PHC está informando a las personas potencialmente afectadas.

¿Qué información estuvo implicada? La información de los pacientes localizada en una de las cuentas de correo electrónico o de los Google Drive y por lo tanto, sujeta potencialmente a un acceso no autorizado, es una combinación de información que incluye el nombre del paciente, número de teléfono, número del Seguro Social, número de la licencia de conducir, número de cuenta financiera, número de tarjeta de crédito/débito, fecha del servicio, información sobre el diagnóstico y tratamiento, historial médico, centro y proveedor visitado, información del seguro médico/pagador y si corresponde, número de identificación de Medicaid. Actualmente, PHC no tiene evidencia de un intento de uso indebido o de un uso indebido real de la información del paciente como consecuencia de este incidente.

Lo que estamos haciendo. La confidencialidad, privacidad y seguridad de la información del paciente es una de las principales prioridades de PHC, que cuenta con rigurosas medidas de seguridad establecidas para proteger la seguridad de la información que posee. Además, como parte de nuestro compromiso continuo hacia la seguridad de la información protegida de salud a su cuidado, está trabajando para implementar garantías y medidas de seguridad adicionales para mejorar la privacidad y seguridad de la información que se encuentra en sus sistemas. PHC ha informado a las personas afectadas y reportará este incidente al Departamento de Salud y Servicios Humanos de EE. UU. (Department of Health and Human Services, HHS).

Como precaución adicional, PHC ha hecho arreglos para que AllClear ID proporcione 12 meses de servicios de protección de identidad a las personas afectadas, comenzando en la fecha del aviso.

Lo que usted puede hacer. Puede revisar los estados de cuenta bancarios y los de su tarjeta de crédito, la explicación de formularios de beneficios y los informes de crédito en busca de actividades sospechosas. Informe sobre esas actividades a su banco, al emisor de su tarjeta de crédito o a su compañía de seguros médicos.

Para obtener más información. PHC comprende que los pacientes puedan tener preguntas sobre este incidente las cuales no se abordaron en esta notificación. Si tiene alguna pregunta adicional, puede comunicarse con PHC llamando al (855) 303-9813.

PHC lamenta sinceramente cualquier inconveniente que este incidente haya causado.

Steps You Can Take to Protect Your Information.

We encourage potentially affected individuals to remain vigilant against incidents of identity theft and fraud, to review their account statements, and to monitor their credit reports and explanation of benefits forms for suspicious activity. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of your credit report.

At no charge, you can also have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it may also delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.

Equifax

P.O. Box 105069

Atlanta, GA 30348

800-525-6285

www.equifax.com

Experian

P.O. Box 2002

Allen, TX 75013

888-397-3742

www.experian.com

TransUnion

P.O. Box 2000

Chester, PA 19106

800-680-7289

www.transunion.com

 

You may also place a security freeze on your credit reports. A security freeze prohibits a credit bureau from releasing any information from a consumer’s credit report without the consumer’s written authorization. However, please be advised that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services. If you have been a victim of identity theft and you provide the credit bureau with a valid police report, it cannot charge you to place, lift, or remove a security freeze. In all other cases, a credit bureau may charge you a fee to place, temporarily lift, or permanently remove a security freeze.  Fees vary based on where you live, but commonly range from $3 to $15.  You will need to place a security freeze separately with each of the three major credit bureaus listed above if you wish to place a freeze on all of your credit files. In order to request a security freeze, you will need to supply your full name, address, date of birth, Social Security number, current address, all addresses for up to five previous years, email address, a copy of your state identification card or driver’s license, and a copy of a utility bill, bank or insurance statement, or other statement proving residence. To find out more on how to place a security freeze, you can use the following contact information:

Equifax Security Freeze

P.O. Box 105788

Atlanta, GA 30348

1-800-685-1111

www.freeze.equifax.com

Experian Security Freeze

P.O. Box 9554

Allen, TX 75013

1-888-397-3742

www.experian.com/freeze/

TransUnion

P.O. Box 2000

Chester, PA 19016

1-888-909-8872

freeze.transunion.com

 

You can further educate yourself regarding identity theft, security freezes, fraud alerts, and the steps you can take to protect yourself against identity theft and fraud by contacting the Federal Trade Commission or your state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261.  The Federal Trade Commission encourages those who discover that their information has been misused to file a complaint with them.  Instances of known or suspected identity theft should be reported to law enforcement, the Federal Trade Commission, and your state Attorney General.  This notice has not been delayed as the result of a law enforcement investigation.