Monroe County Hospital & Clinics (MCHC) in Albia, Iowa recently experienced an information security incident involving some patients’ personal health information. On December 19, 2019, MCHC discovered a cybersecurity incident that compromised its business e-mail system. MCHC immediately began an investigation and hired an outside forensic computer expert to determine the size and scope of the attack.
The investigation found that one or more unauthorized individuals from outside of MCHC had access to several employees’ e-mail accounts between October 28, 2019 and January 20, 2020. The attack did not impact MCHC’s electronic medical record or billing systems. The only unauthorized access to patient information may have occurred through the compromised e-mail accounts where the information was in the body of an e-mail or in an attachment (such as a report used for internal business purposes).
MCHC engaged computer forensic investigators to manually review the contents of the compromised e-mail accounts to determine if any accounts contain personal health information. The investigation indicates that patients’ personal health information was contained in one or more of the compromised e-mail accounts. Information that may have been accessed includes full name, demographic information (such as address and date of birth), date(s) of service, medical record number, insurance status or payor type, and clinical information (such as a diagnosis code, reason for visit, and other treatment-related information). For some individuals, the information also included Social Security Number.
After learning of the attack, MCHC took a number of important steps to prevent similar incidents from occurring in the future. This included requiring all MCHC employees to reset their e-mail account passwords and conducting additional training regarding e-mail cyberattacks. MCHC is also working to deploy additional technologies designed to prevent similar attacks.
MCHC has sent letters to impacted individuals for whom MCHC has valid addresses by U.S. mail. The letters contain important information about steps individuals can take to help prevent medical identity theft or fraud. MCHC continues to work with the computer forensic investigators to manually review additional compromised accounts. If MCHC determines that an individual’s Social Security number, driver’s license number, or financial account information was included in one of the e-mail accounts that is under review, MCHC will send a follow-up notification in writing.
MCHC has arranged for a one-year enrollment in an online credit monitoring service provided by Equifax, one of the three nationwide credit reporting companies. Instructions on how to enroll in this free service are included in the letters sent to affected individuals.
Below is information about other precautionary measures affected individuals can take, including placing a fraud alert and/or security freeze on credit files and obtaining a free credit report.
Individuals who have questions or concerns about this incident can call a confidential, toll-free hotline that is staffed with professionals familiar with this incident who can assist with questions and the steps impacted individuals can take to protect against identity theft and fraud. The hotline is available at 1-866-977-0798, Monday through Friday, from 8 am – 8 pm Central Standard Time.
MCHC takes the privacy and security of patients’ information very seriously and deeply regrets any inconvenience this incident may have caused patients and their families.
– ADDITIONAL PRIVACY SAFEGUARDS INFORMATION –
Fraud Alert Information
Whether or not you enroll in credit monitoring, we recommend that you place a “Fraud Alert” on your credit file. Fraud Alert messages notify potential credit grantors to verify your identification before extending credit in your name in case someone is using your information without your consent. A Fraud Alert can make it more difficult for someone to get credit in your name; however, please be aware that it also may delay your ability to obtain credit. Call only one of the following three nationwide credit reporting companies to place your Fraud Alert: TransUnion, Equifax, or Experian. As soon as the credit reporting company confirms your Fraud Alert, they will also forward your alert request to the other two nationwide credit reporting companies so you do not need to contact each of them separately. The contact information for the three nationwide credit reporting companies is:
PO Box 740256
PO Box 2000
PO Box 9554
Free Credit Report Information
Under federal law, you are also entitled to one free credit report once every 12 months from each of the above three major nationwide credit reporting companies. Call 1-877-322-8228 or make a request online at www.annualcreditreport.com.
Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Victim information sometimes is held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly.
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Get a copy of the report; many creditors want the information it contains to absolve you of the fraudulent debts. You also should file a complaint with the Federal Trade Commission (FTC) at www.identitytheft.gov or at 1-877-ID-THEFT (1-877-438-4338). Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcers for their investigations. Also visit the FTC’s website at www.ftc.gov/idtheft to review their free identity theft resources such as their comprehensive step-by-step guide “Identity Theft – A Recovery Plan”.
Security Freeze Information
You can request a “Security Freeze” on your credit file by sending a request in writing, by mail, to each of the three nationwide credit reporting companies. When a Security Freeze is added to your credit report, all third parties, such as credit lenders or other companies, whose use is not exempt under law will not be able to access your credit report without your consent. The Security Freeze may delay, interfere with or prohibit the timely approval of any subsequent request or application you make that involves access to your credit report. This may include, but is not limited to, new loans, credit, mortgages, insurance, rental housing, employment, investments, licenses, cellular phone service, utility service, digital signature service, Internet credit card transactions and extension of credit at point of sale. There may be a fee for placing, temporarily lifting, or removing a Security Freeze with each of the nationwide consumer reporting companies, although that fee is waived if you send the credit reporting company proof of eligibility by mailing a copy of a valid identity theft report, or other valid report from a law enforcement agency to show you are a victim of identity theft and are eligible for free Security Freeze services.
To place a Security Freeze on your credit files at all three nationwide credit reporting companies, write to the addresses below and include the following information:
|Equifax Security Freeze
PO Box 105788
|TransUnion Security Freeze
PO Box 2000
|Experian Security Freeze
PO Box 9554
- Your full name (first, middle, last including applicable generation, such as JR., SR., II, III, etc.) Your Social Security Number
- Your date of birth (month, day and year)
- Your complete address including proof of current address, such as a current utility bill, bank or insurance statement or telephone bill
- If you have moved in the past 2 years, give your previous addresses where you have lived for the past 2 years
- A legible photocopy of a government issued identification card (state driver’s license or ID card, military identification, etc.)
- Include applicable fee. Call or visit each of the credit reporting company websites listed above for information on fees for Security Freeze services. Forms of payment are check, money order, or credit card (American Express, Discover, MasterCard and Visa), or a copy of a valid identity theft report, or other valid report from a law enforcement agency to show you are a victim of identity theft and are eligible for free Security Freeze services.
Within 5 business days of receiving your request for a security freeze, the consumer credit reporting company will provide you with a personal identification number (PIN) or password to use if you choose to remove the freeze on your consumer credit report or to authorize the release of your consumer credit report to a specific party or for a specified period of time after the freeze is in place.
About Monroe County Hospital & Clinics
Established in 1951, Monroe County Hospital & Clinics (MCHC) is a trusted provider of high quality, local health care to the residents of Monroe County, IA and surrounding counties. Our highest mission is a promise to create an excellent health care experience. We believe it must be our number one priority to ensure the personal safety and security of each customer and employee. Our full-service, primary care hospital offers an array of inpatient and outpatient health services including surgical, clinical, specialty, physical therapy, cardiac rehabilitation, occupational therapy, emergency, sleep studies, pain management services and much more. Visit www.mchalbia.com for more information.