Alive Hospice in Tennessee is notifying patients whose personal and protected health information were in employee emails that were accessed by an unknown person or persons beginning on December 20, 2017 and again on April 5, 2018 after two employees fell prey to phishing attacks. The attacks were discovered on May 15, 2018.
Here is their full press release/notification:
On or around December 20, 2017, and April 5, 2018, Alive Hospice experienced email phishing events that affected an employee email account. Alive Hospice immediately took steps to respond to and investigate these events and, while the investigations found no evidence of unauthorized access to personal information, Alive Hospice took steps to change the user’s password on both occasions, in an abundance of caution. On or around May 15, 2018, during a review of its email system, Alive Hospice learned of ongoing unauthorized activity in the employee’s email account that may have resulted in unauthorized access to certain personal information. Alive Hospice immediately commenced an investigation to determine the nature and scope of the incident, as well as determine what information may be affected. Through the investigation, which included working with third party forensic investigators, Alive Hospice determined that an unauthorized actor(s) gained access to two Alive Hospice employee email accounts. The investigation determined the unauthorized activity began on or around December 20, 2017, for one user, and on or around April 5, 2018 for the other user. The investigation also determined that the emails affected by this incident contained personal information. While the information potentially affected varies by individual, Alive Hospice’s investigation determined that the information that may have been affected includes name, date of birth, Social Security number, passport number, driver’s license or state identification number, copy of birth or marriage certificate, financial account number, medical history information, treatment and prescription information, health insurance information, username/email and password information, biometric identifiers, IRS pin number, digital signatures, and security questions and answers. To date, Alive Hospice has no evidence that any information potentially impacted by this incident was subject to actual or attempted misuse.
The confidentiality, privacy, and security of information in Alive Hospice’s care is one of its highest priorities. Upon learning that patient information may have been affected by this incident, Alive Hospice commenced an investigation to confirm the nature and scope of the event and identify what personal information may have been present in the affected emails. With the assistance of third party forensic investigators, Alive Hospice has been working to identify and put in place resources to assist potentially impacted individuals. While Alive Hospice already has stringent security measures in place to protect information in its systems, Alive Hospice is also implementing additional safeguards to protect the security of information.
On July 13, 2018, Alive Hospice will begin mailing notice letters to individuals who may have been affected by this incident. Alive Hospice has offered potentially impacted individuals access to credit monitoring and identity restoration services for one year without charge. Alive Hospice is also encouraging potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements, and to monitor credit reports and explanation of benefits forms for suspicious activity. Alive Hospice’s notification to potentially impacted individuals includes information on obtaining a free credit report annually from each of the three major credit reporting bureaus by visiting www.annualcreditreport.com, calling 877-322-8228, or contacting the three major credit bureaus directly at: Equifax, P.O. Box 105069, Atlanta, GA, 30348, 800-525-6285, www.equifax.com; Experian, P.O. Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com; TransUnion, P.O. Box 2000, Chester, PA 19016, 800-680-7289, www.transunion.com. Potentially impacted individuals may also find information regarding identity theft, fraud alerts, security freezes and the steps they may take to protect their information by contacting the credit bureaus, the Federal Trade Commission or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should also be reported to law enforcement or the individual’s state Attorney General. Alive Hospice has provided notice of this incident to the U.S. Department of Health and Human Services, as well as required state regulators.
Alive Hospice has set up a dedicated assistance line to answer questions regarding this incident. The dedicated assistance line may be reached at (888) 998-7768 (toll free), Monday through Friday from 7 am – 7 pm Central Time.
SOURCE Alive Hospice