IN: Orleans Medical Clinic Patient Information Breach
Orleans Medical Clinic was recently the victim of a hacking incident that resulted in inappropriate access to certain information about the Clinic’s patients. On or about April 17, 2016, we became aware of suspicious activity involving one of our computer servers. We initiated an investigation and learned that our computer server that contained electronic health record data had been left unsecured after the server was upgraded. As a result, computer hackers gained access to the server over a period of time from April 5, 2016 until April 17, 2016. On July 21, 2016, we received confirmation of the individuals and information potentially affected by the breach.
While our investigation was not able to definitively conclude whether the hackers actually accessed or obtained a particular individual’s information, it would have been possible for the hackers to access and obtain patient information about all of our current and former patients, including medical records and demographic information such as date of birth and social security number. This incident did not involve or affect the security of our patient portal in any manner, and at no point were we unable to access the information needed to provide high quality health care services to patients. Upon learning of the incident, we immediately secured the server so that this type of attack could not occur again.
We sent letters to each of our patients to inform them of this incident and to identify the steps that patients can take to protect themselves from the potential misuse of this information. In order to help patients prevent possible misuse of their information, we have arranged with Equifax Personal Solutions to offer identity theft protection for 1 year at no cost to patients. Information about how to enroll in the free identity theft protection is included in the letters mailed to patients or by calling the toll-free number we established for this matter. In addition, although no bank or credit card data was on the server, we recommend that patients contact their bank(s) and credit card issuer(s) to inform them of what has taken place and check their bank, credit card, and other bills/statements for any recent irregular activity and monitor those accounts closely for the next year.
We have reported the incident to the FBI, the U.S. Department of Health and Human Services Office for Civil Rights, and the Indiana Attorney General, each of whom has opened an investigation.
We deeply regret that this incident occurred. We are committed to providing quality care and protecting PHI. We have established a call center to answer any questions that patients may have about this incident. Patients may contact the call center at (888) 522-8801 between 9 a.m. and 9 p.m. Eastern time, Monday through Friday.
SOURCE: Orleans Medical Clinic
Note: this incident was reported to HHS as affecting 6,890 patients.