A press release issued today.
On September 18, 2018 Episcopal Health Services became aware of suspicious activity in employee email accounts. We immediately began an investigation to determine what happened and what information may have been affected. With the assistance of third-party forensic investigators, we determined that certain employee email accounts were subject to unauthorized access between August 28, 2018 and October 5, 2018. These email accounts were then reviewed to determine whether they contained any protected health or personal information. On November 1, 2018, Episcopal Health Services determined that the accounts subject to unauthorized access contained protected health information of certain individuals. Episcopal Health Services is not aware of any reported attempted or actual misuse of any personal information as a result of this event. The types of information contained within the potentially impacted emails are: Social Security number, date of birth, financial account information, medical history information, prescription information, medical record number, treatment or diagnosis information, and health insurance information or policy number. The types of information varied by individual.
On November 15, 2018, Episcopal Health Services began mailing notice letters to individuals whose information was contained within the impacted accounts and for whom they had a postal address. Episcopal Health Services continued reviewing the contents of the impacted email accounts to determine whether they contained any protected information. On February 26, 2019, Episcopal Health Services determined that the additional accounts subject to unauthorized access contained protected information of certain individuals. However, the list of potentially affected individuals provided by the vendor did not include addresses for a large number of individuals and included many potential duplicates. Therefore, Episcopal Health Services was required to review its records to attempt to locate the missing addresses and remove potential duplicates. This process was completed on March 19, 2019. As a result of this continued review, Episcopal Health Services mailed a second round of notice letters to additional individuals whose information was determined to be contained within the impacted email accounts and for whom they had a postal address. Episcopal Health Services has offered potentially impacted individuals access to credit monitoring and identity theft protection services for one year without charge.
Episcopal Health Services encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements, and to monitor their credit reports and explanation of benefits forms for suspicious activity. Episcopal Health Services is providing potentially impacted individuals with contact information for the three major credit reporting agencies, as well as providing advice on how to obtain free credit reports and how to place fraud alerts and security freezes on their credit files. Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. The relevant contact information is below:
Potentially impacted individuals may also find information regarding identity theft, fraud alerts, security freezes and the steps they may take to protect their information by contacting the credit bureaus, the Federal Trade Commission or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261.
Episcopal Health Services has set up a call center to answer questions from those who may have been impacted by this incident. The call center can be reached at 1-866-775-4209 (toll free), Monday through Friday, 9:00 a.m. to 6:00 p.m. ET
Additional information on how potentially impacted individuals can protect themselves can also be found at Episcopal Health Services’ website www.ehs.org. Instances of known or suspected identity theft should also be reported to law enforcement or the individual’s state Attorney General.
SOURCE Episcopal Health Services