NC: Central Dermatology Center notifies patients after discovering malware had been inserted in their system in 2012
Central Dermatology Center (“Central”) announced on November 7, 2014 that on September 25, 2014 it became aware that one of its servers had been compromised by malicious software (“malware”). Central immediately consulted with forensic IT experts to identify and remove the malware and determine exactly what information on the server may have been accessed. The malware was removed and the server has been disconnected from Central’s system.
The information on the server that may or may not have been accessed included patients’ name, address, phone numbers, date of birth, social security number, billing and diagnostic codes, insurance company, insurance co-payment information, healthcare provider, employer information, sex, treatment date, account balance, email address, and race.
Based on Central’s forensic investigation to date it is believed that patient bank account and payment card information were not compromised and electronic medical records were not on this server as they were encrypted by Central prior to the malware being placed on the server.
“Taking aggressive action early and confronting this issue is consistent with the practice’s core value of behaving in an ethical and transparent fashion,” said Greg Catt, Practice Administrator at Central Dermatology Center & Carolina Medi-Spa. “Central hired a prominent forensics security expert firm and an information technology firm that investigated this incident, reviewed all systems, and Central has improved our security wherever necessary to help protect our community. On behalf of the people of Central Dermatology Center, we sincerely apologize for any inconvenience this may cause.”
As part of our investigation in this matter, we consulted with an IT forensics firm and a separate IT company who specialize in this area. The investigation revealed that malware compromised a password protected Central server on or about August 9, 2012 despite safeguards in place, including software on the server designed to prevent such malware. We contacted, and will continue to work with, local law enforcement, the Federal Bureau of Investigation, North Carolina Attorney General, nationwide consumer reporting agencies, and the U.S. Department of Health and Human Services regarding this matter.
Central is notifying potentially affected patients and patients are being offered free credit monitoring and identity theft protection. Patients are encouraged to take advantage of these services being provided by Equifax. Additionally, Central created a data security incident call center to answer patient questions, including whether your information was included in this incident. That number is (800) 448-6104. The call center hours are Monday-Friday from 11am-7pm Eastern Time.
Moreover, you can remain vigilant by reviewing account statements and you can order a free credit report at www.annualcreditreport.com, or by calling toll-free (877) 322-8228, or by completing the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s website at www.ftc.gov and mail it to Annual Credit Report Services, P.O. Box 105281, Atlanta, GA 30348-5281. Further, you may obtain information from the three major consumer credit reporting agencies, Equifax, (800) 525-6285, Equifax Credit Information Services, Inc., P.O. Box 740241, Atlanta, GA 30374; Experian (888) 397-3742, P.O. Box 4500, Allen, TX 75013 (mailing address for disputes, all other services available at www.experian.com); and TransUnion (800) 680-7289, TransUnion LLC, P.O. Box 2000, Chester, PA 19022-2000.
You can obtain information about preventing identity theft, fraud alerts, and credit freezes from the U.S. Federal Trade Commission and the North Carolina Attorney General’s Office. You can call the U.S. Federal Trade Commission at (877) 382-4357 and the address for the U.S. Federal Trade Commission is 600 Pennsylvania Ave, NW, Washington, DC 20580. You can obtain information from the North Carolina Attorney General’s Office through their website at www.ncdoj.gov, call toll free to (877) 566-7226, or send mail to 9001 Mail Service Center, Raleigh, NC 27699-9001.
Additionally, you should report any identify theft to local law enforcement and the state attorney general of your state of residence.
SOURCE: Central Dermatology Center