HIPPA Notification Breach 3-1-23
On March 1, 2023, one of our employees received a suspicious email purporting to be from one of our vendors requesting payment. We determined the email was not legitimate and immediately engaged our IT company to investigate and ensure our systems were secure. We also engaged cybersecurity legal counsel to assist in addressing the potential situation. Our counsel secured a separate cybersecurity IT company that has expertise specifically in forensic work to work with our IT company to ensure we had the best tools to investigate the incident.
The investigation determined that an unauthorized third party gained access to one of our employee’s email accounts through the Microsoft 365 online account beginning on February 21, 2023 through a phishing email scam. That access was cut off when we received the suspicious email on March 1. It was determined that three documents on our systems where links were in emails had been accessed by the third party. Two of the documents were internal in nature and one contained the following information for less than 50 patients: full names, internal patient identification number, and insurance provider. It was unfortunately not possible to determine which, if any, specific emails were accessed or read by the unauthorized third party. We can say that the emails themselves were not downloaded, no other documents saved to our system were accessed by this third party, and our patients’ medical records stored on our independent third-party vendor site remained secure. The limit of the third-party’s access was the potential viewing of the emails on the one employee account and three documents on our system.
Because we cannot determine what emails may have been accessed/read and some of the emails on the account could contain personal health information of our patients (either in the email or as an attachment), we are alerting all patients that certain information may have been viewed. We have sent an individual communication to every patient that could be affected, including the ones on the one document we know was viewed, as mentioned above. Information contained in the accessed employee email account could include the following: treatment information (including the hearing aid worn by the patient), full name, address, date of birth, driver’s license number, Social Security Number, insurance claims information, patient identification numbers, health information, and credit card/bank account information.
Securing your personal information is important to us. Accordingly, we have implemented additional security measures to protect your information from future unauthorized access, however unlikely it may be. This includes providing additional training to the employee and entire workforce regarding HIPPA requirements and further improving password and network security. Our cybersecurity counsel is also assisting us with updating our policies and systems to increase security, as well as response should an incident occur in the future. Please be assured that we have taken every step necessary to address the incident.
We encourage you to remain vigilant and monitor your credit reports for suspicious activity. You can obtain a free credit report from each of the three credit bureaus by calling 1-877-322-8228. You may also place a “fraud alert” on your credit file at no charge, which alerts creditors to take additional steps to verify your identity prior to granting credit in your name. Please note, placing a fraud alert may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. You can contact the credit bureaus listed below to place an alert on your account or with any questions regarding your credit report.
Equifax
800-525-6285
www.equifax.com
Experian
888-397-3742
www.experian.com
TransUnion
800-680-7289
www.transunion.com
For more information regarding identity theft please visit the Computer Crime Information and Resources website run by the Office of the Attorney General of Virginia at https://www.oag.state.va.us/CCSWeb2/. You can also contact that office at:
Office of the Attorney GeneralComputer Crime Section202 North Ninth Street
Richmond, VA 23219
(804) 786-2071
cybercrimeunit@oag.state.va.us
We sincerely apologize for the inconvenience and concern this incident has caused you. Your information privacy is important to us, and we will keep you informed of any developments in the investigation which may be of importance to you.
If you have further questions or concerns, please contact us at the toll-free number we set up to communicate on this issue; 1-833-612-7600 between the hours of 9 a.m. and 5 p.m., Monday – Friday, or by sending an email message to rgrohler@beltonehr.com. Please also continue to return to this website for updated information.