Notice to our Patients of an Email Incident
.Addison County Home Health and Hospice (“Addison”) is committed to protecting the confidentiality and security of the information we maintain. Regrettably, this notice is regarding an incident that involves some of that information.
On April 26, 2019, we learned that an unauthorized person gained access to an employee email account on February 19, 2019. We immediately secured the account, began an investigation, and a leading cyber security firm was engaged to assist in determining what happened and what information may have been contained in the email account. The investigation was unable to determine whether the unauthorized individual actually viewed any of the emails in the account. However, in an abundance of caution, we reviewed all emails and attachments in the account to find information that may have been accessible to the unauthorized person. The investigation determined that some patient information was contained in the email account, including patient names, clinical information, and in some instances, medical record numbers and Social Security numbers.
We have no indication that any patient information has been misused. However, in an abundance of caution, we mailed letters to affected patients on June 25, 2019 and established a dedicated call center to answer questions. If you believe you have been affected by this incident and do not receive a letter by July 25, 2019, or if you have questions, please call 1-833-800-0020, from 8 a.m. to 5:00 p.m. Eastern Time, Monday through Friday.
We recommend that affected patients review the statements they receive from their healthcare provider. If they see services they did not receive, please contact the provider immediately. For those patients whose Social Security numbers were included in the email accounts, we are offering a complimentary membership of credit monitoring and identity protection services.
To help prevent something like this from happening in the future, we required a password change for the email account, are implementing additional technical security measures, and are reinforcing employee training on how to detect and avoid phishing emails.
On April 26, 2019, we learned that an unauthorized person gained access to an employee email account on February 19, 2019. We immediately secured the account, began an investigation, and a leading cyber security firm was engaged to assist in determining what happened and what information may have been contained in the email account. The investigation was unable to determine whether the unauthorized individual actually viewed any of the emails in the account. However, in an abundance of caution, we reviewed all emails and attachments in the account to find information that may have been accessible to the unauthorized person. The investigation determined that some patient information was contained in the email account, including patient names, clinical information, and in some instances, medical record numbers and Social Security numbers.
We have no indication that any patient information has been misused. However, in an abundance of caution, we mailed letters to affected patients on June 25, 2019 and established a dedicated call center to answer questions. If you believe you have been affected by this incident and do not receive a letter by July 25, 2019, or if you have questions, please call 1-833-800-0020, from 8 a.m. to 5:00 p.m. Eastern Time, Monday through Friday.
We recommend that affected patients review the statements they receive from their healthcare provider. If they see services they did not receive, please contact the provider immediately. For those patients whose Social Security numbers were included in the email accounts, we are offering a complimentary membership of credit monitoring and identity protection services.
To help prevent something like this from happening in the future, we required a password change for the email account, are implementing additional technical security measures, and are reinforcing employee training on how to detect and avoid phishing emails.