Notice of Data Security Incident
On November 14, 2019, we learned that an outside entity sent phishing emails to certain of our employees soliciting their login information to our email system. We immediately commenced an investigation and determined on February 24, 2020, that the entity appears to have been able to use employee credentials to gain unauthorized access from August 26, 2019 through January 7, 2020 to a small number of employee email accounts. On April 22, 2020, our data review experts determined that protected health information belonging to some of our patients was contained within the impacted accounts and therefore was potentially accessed. We have terminated the unauthorized access to our employee email accounts. The access was limited to information that was contained in emails of the impacted employees and did not extend to patient databases.
What Information Was Involved?
The information stored in the affected email accounts varies by individual, but may include first and last name, addresses, date of birth, provider name, date of service, clinical information, treatment information, procedure type and in some cases social security numbers. Our investigation has not found any evidence that this incident involves any unauthorized access to or use of any of MLHS’s information aside from the information contained within the accessed email accounts.
What We Are Doing?
We take the privacy of personal information seriously and deeply regret that this incident occurred. We took steps to address this incident promptly after it was discovered, including initiating an investigation into this incident and working with an independent forensic investigation firm to assist us in the investigation of and response to this incident. Additionally, we have reset all user account passwords and have implemented additional technology measures in order to help prevent this type of incident from reoccurring in the future. MLHS has also reported this incident to law enforcement and will continue to cooperate with any investigation.
What You Can Do?
Notification letters are being sent to potentially impacted individuals on May 11, 2020. The letters include information about this incident and about steps that potentially impacted individuals can take to monitor and help protect their personal information. We have established a toll-free call center to answer questions about the incident and to address related concerns. The call center can be reached at 1-833-979-2230, Monday through Friday from 8:00 am – 8:00 pm Central Time, Monday through Friday or go to https://app.myidcare.com/account-creation/protect In addition, as a precaution, we are offering complementary credit monitoring services to those individuals whose information was potentially impacted.
We deeply regret any inconvenience or concern this incident may cause.
The following information is provided to help individuals wanting more information about steps that they can take to protect themselves:
What steps can I take to protect my private information?
What should I do to protect myself from payment card/credit card fraud?
We suggest that you review your debit and credit card statements carefully in order to identify any unusual activity. If you see anything that you do not understand or that looks suspicious, you should contact the issuer of the debit or credit card immediately.
How do I obtain a copy of my credit report?
You can obtain a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies once every twelve (12) months. To do so, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three agencies is included in the notification letter and is also listed at the bottom of this page.
How do I put a fraud alert on my account?
You may consider placing a fraud alert on your credit report. This fraud alert informs creditors of possible fraudulent activity within your report and requests that creditors contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact Equifax, Experian or TransUnion and follow the Fraud Victims instructions. To place a fraud alert on your credit accounts, contact your financial institution or credit provider. Contact information for the three nationwide credit reporting agencies is listed below.
Contact information for the three nationwide credit reporting agencies is as follows:
Equifax Security Freeze Experian Security Freeze TransUnion (FVAD)
PO Box 105788 PO Box 9554 PO Box 2000
Atlanta, GA 30348 Allen, TX 75013 Chester, PA 19022
1-800-685-1111 1-888-397-3742 1-800-888-4213