Josh Cross reports:
Files containing personal information for up to 8,000 individuals who visited a local health care center since 2005 were on a laptop that was stolen from a Hendersonville home in August.
The computer, which was issued to a member of Hope Family Health’s finance department, was taken during a burglary Aug. 4 and contained personal data such as patient names, Social Security numbers and dates of birth, said Chief Compliance Officer Joey Forman.
“The information was fingerprint- and password-protected; however, it was not encrypted,” he said. “We don’t believe that anyone’s information has been accessed or used in any way that could cause harm.”
Read more on The Tennessean. HFH did not offer those affected any free credit monitoring services, even though having names, SSN, and DOB would be enough to steal the patients’ identities for fraudulent purposes.
A notice, dated September 2, can be found on HFH’s web site:
HOPE is committed to maintaining and securing every aspect of your privacy. We treasure our relationship with each and every patient. This is why we need to inform you of a recent event that may affect you or someone you may know. On Sunday, August 4, 2013 at 9:00 p.m., HOPE Family Health discovered the theft of a laptop computer owned by the organization and issued to one of our management employees working in the finance department. The laptop computer was stolen from the employee’s home address during a series of burglaries at multiple homes in the neighborhood that evening. HOPE immediately reported the incident to the Police Department and quickly began working with authorities to recover the stolen property. Law enforcement agencies are continuing to investigate this specific case. Several individuals have already been arrested and charged with possible involvement. So far there is no indication that any of our patient’s information has been accessed or used by any unauthorized individual.
What kind of information are we talking about? | The laptop computer contained Health Center data that was both password and fingerprint protected, but not encrypted. It included proprietary financial records, billing records and patient account information dating back to 2005 for as many as 8,000 past and/or current patients. This information may include a name, date of birth, social security number and billing address. Although we believe it to be highly unlikely, this private information could potentially be accessed by the criminals responsible for this theft.
What is HOPE doing to protect my information? | HOPE has taken immediate steps to better protect the private information of our patients and to prevent an event like this from ever taking place again. Here are a few things we have done and are continuing to do:
• All digital private patient information is now secured on an encrypted server instead of individuals computers. This server can only be accessed by individuals who have been authorized to do so by HOPE Family Health.
• All hard-copy private patient information has been secured in digitally locked record rooms at the Health Center.
• All HOPE personnel are required to regularly attend information management training to ensure that all employees are both aware of and practicing the safest procedures possible when it comes to protecting your private information.
• HOPE has moved its new Electronic Health Record System (e-ClinicalWorks) to an encrypted cloud-based server that uses the most secure technology available that follows HIPAA compliant protocols for storing patient information.
• HOPE has worked with top legal experts to review and update existing policies and procedures that govern the methods we use to protect your private information. All recommended changes have been adopted.
• In late 2012 HOPE established a Chief Privacy Officer and Confidentiality & Security Team. As HOPE policy states: “This Privacy Officer will oversee all ongoing activities related to the development, implementation, and maintenance of HOPE’s privacy policies and procedures in accordance with applicable federal and state laws as to ensure the privacy of HOPE’s patients is regarded with the utmost concern and attention to detail.”
• HOPE has established a Privacy Hotline to assist patients in questions they may have regarding their protected information. This hotline can be reached at 615-644-2000 then dial ext. 125.
What do I need to do to protect my information? | We are deeply aware of how important your personal information is to you; it is equally as important to us. In addition to the steps we have already taken, there are several steps you can take to protect yourself from fraud both now and in the future. We have already advised the three major U.S. credit reporting agencies about this incident and have given those agencies an official report, alerting them to the fact that the incident occurred. However, we have not notified them about the presence of patient specific information in the data breach. Because this is a serious incident, we strongly encourage you to take these steps now to help prevent and detect any misuse of your information:
1. First, if you are a HOPE patient or have been treated at the health center dating back to January of 2005 you may be affected by this data breach. To verify if you were or were not affected you may call the health center at 615-644-2000 and dial ext. 125 to speak to a member of our privacy team.
2. Next, if your information was involved, we recommend that you immediately place a fraud alert on your credit files to protect yourself from the possibility of identity theft. An initial fraud alert is valid for 90 days. To initiate a fraud alert, contact ONE of the three major credit reporting agencies listed below. It is not necessary to contact all three; the one you contact will notify the other two as they are required to by law. To make this process as easy for you as possible we are providing the information below for each credit agency. If you need any help with this process please feel free to contact HOPE’s Privacy Hotline at 615-644-2000 and dial ext. 125.
3. After the fraud alert is complete, if anyone attempts to open a credit account in your name (related to this incident or any other), the lender will be alerted that you could be a victim of fraud. The lender should then take appropriate measures to verify your identity and intent to open the account. (Please note, a fraud alert should not prevent you from using your existing credit cards or any other extensions of credit.)
4. After the call to one of the above agencies you will receive a letter with instructions about how to get a free copy of your credit report. Once you receive your credit report, review it carefully to verify that all information is correct and that there are no accounts you did not open.
5. We suggest that you monitor your credit reports for several months.
6. We also suggest that you closely monitor your financial/bank accounts for several months. Report anything suspicious to your financial institution or bank right away.
7. Even if you do not find any suspicious activity on your initial credit reports or financial accounts, we recommend that you check them regularly. Doing this can help you spot problems and address them quickly. Financial fraud is becoming more and more common, and this good practice will help protect you from harm that may come your way related to this event or any other.
We understand that this event may cause worry and inconvenience in your life, and for that we are deeply sorry. We sincerely regret this incident occurred on our watch and commit to minimizing the risk of anything similar taking place in the future. We respect the private nature of your personal information and always strive to protect it from unauthorized or unnecessary disclosure. We are committed to providing you with consistent quality healthcare, including the protection of your privacy. We do sincerely ask that you give us the opportunity to demonstrate just how serious we are about this commitment.
Many things have changed at HOPE over the past year as we have continued to grow. With this growth, great things are in store for our patients as we strive to become one of the leading medical and mental healthcare providers in this community. We invite you to continue to be part of the great work that is taking place at HOPE. If you have any questions, please do not hesitate to contact the office of HOPE’s Chief Privacy Officer directly at (615) 644-2000, ext. 112, or feel free to send an email to [email protected].
AUTHORIZED FOR OFFICIAL RELEASE BY THE OFFICE OF:
Joey Forman, CIO/CDO/CCO
Chief Information & Development Officer
Facilitating the role of Chief Privacy Officer
Facilitating the role of Chief Compliance Officer