Notice of Data Security Incident
Healthcare Administrative Partners (“HAP”) recently experienced a data security incident that may have impacted patients’ protected health information (“PHI”). HAP is a medical billing and coding partner that assists healthcare providers with billing and coding services. HAP takes the privacy and security of PHI seriously, and sincerely apologizes for any concern or inconvenience this may cause patients.
What happened?
On September 16, 2019, HAP determined that PHI was present in an email account that was accessed by an unauthorized individual. HAP became aware of suspicious activity associated with an email account on June 26, 2019, and immediately changed all employee passwords and enabled additional security controls in its email environment.
After learning of the incident, HAP engaged independent computer forensic experts to assist with its investigation. The forensic investigation confirmed that an unauthorized individual accessed the corporate email account, but was unable to identify what emails or attachments, if any, may have been viewed by the unauthorized individual. Out of an abundance of caution, HAP conducted a comprehensive review of the employee’s mailbox to determine what personal information may have been present in the email account. HAP notified the healthcare providers of these results on October 4, 2019.
What information was involved?
The review concluded on September 16, 2019 and found that the account contained some combination of the following PHI: patient names, addresses, dates of birth, medical record numbers, doctor’s names, prescriptions, medical diagnosis or limited treatment information.
What we are doing?
HAP has taken steps to prevent this kind of event from happening in the future. Since the incident, all passwords have been reset, external emails are now labeled as external, mailbox size restrictions and archiving requirements have been implemented, and HAP is evaluating options for multi-factor authentication and retraining employees on recognizing and responding to suspicious emails.
What you can do:
At this time, there is no evidence that any patient information was viewed or misused by the unauthorized individual. You can find information about protecting your identity here, including recommendations by the Federal Trade Commission regarding identity theft protection and details on how to place a fraud alert or a security freeze on your credit file. It is also a good idea to monitor your Explanation of Benefits (EOB) for suspicious activity.
For more information
For more information, please call 1-833-281-4831 Monday through Friday from 8 am – 10 pm Central Time, and 10 am – 7 pm Central Time Saturday and Sunday. Your trust is our top priority, and HAP deeply regrets any inconvenience or concern that this matter may cause.
U.S. State Notification Requirements
For residents of Hawaii, Michigan, Missouri, New Mexico, Virginia, Vermont, and North Carolina: It is recommended by state law that you remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and monitoring your credit report for unauthorized activity.
For residents of Colorado, Illinois, Iowa, Maryland, Missouri, New Mexico, North Carolina, Oregon, Washington, and West Virginia:
It is required by state laws to inform you that you may obtain a copy of your credit report, free of charge, whether or not you suspect any unauthorized activity on your account. You may obtain a free copy of your credit report by contacting any one or more of the following national consumer reporting agencies:
Equifax Experian TransUnion
P.O. Box 105139 P.O. Box 2002 P.O. Box 6790
Atlanta, GA 30374 Allen, TX 75013 Fullerton, CA 92834
1-800-685-1111 1-888-397-3742 1-800-916-8800
www.equifax.com www.experian.com www.transunion.com
You may also obtain a free copy of your credit report online at www.annualcreditreport.com, by calling toll-free 1-877-322-8228, or by mailing an Annual Credit Report Request Form (available at www.annualcreditreport.com) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281.
For residents of Iowa:
State law advises you to report any suspected identity theft to law enforcement or to the Attorney General.
For residents of Oregon:
State laws advise you to report any suspected identity theft to law enforcement, as well as the Federal Trade Commission.
For residents of Colorado, Maryland, Illinois, North Carolina, and Rhode Island:
You can obtain information from the Maryland, North Carolina, and Rhode Island Offices of the Attorneys General and the Federal Trade Commission about fraud alerts, security freezes, and steps you can take toward preventing identity theft.
Maryland Attorney General
Consumer Protection Div. 200 St. Paul Place Baltimore, MD 21202 1-888-743-0023 |
North Carolina Attorney General
Consumer Protection Div. 9001 Mail Service Center Raleigh, NC 27699-9001 1-877-566-7226 |
Rhode Island Attorney General
Consumer Protection Div. 150 South Main Street Providence, RI 02903 (401) 274-4400 |
Federal Trade Commission
Consumer Response Center 600 Pennsylvania Avenue, NW Washington, DC 20580 1-877-IDTHEFT (438-4338) www.identityTheft.gov |
For residents of Massachusetts:
It is required by state law that you are informed of your right to obtain a police report if you are a victim of identity theft.
For residents of all states:
Fraud Alerts: You can place fraud alerts with the three credit bureaus at one of the three major credit bureaus by phone and also via each credit bureau’s website. A fraud alert tells creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit. The contact information for all three credit bureaus is below. As of September 21, 2018, fraud alerts will now last one year, instead of 90 days. Fraud alerts will continue to be free and identity theft victims can still get extended fraud alerts for seven years.
Monitoring: You should always remain vigilant and monitor your accounts for suspicious or unusual activity.
Security Freeze: A security freeze is intended to prevent credit, loans and services from being approved in your name without your consent. To place a security freeze on your credit report, each credit reporting agency has a dedicated web page for security freezes and fraud alerts or you can request a freeze by phone or by mail. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request may also require a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. Effective September 21, 2018, placing a freeze on your credit report is now free for all United States citizens.
Equifax Security Freeze Experian Security Freeze TransUnion (FVAD)
P.O. Box 105788 P.O. Box 9554 P.O. Box 2000
Atlanta, GA 30348 Allen, TX 75013 Chester, PA 19022
www.equifax.com http://www.experian.com/freeze www.transunion.com
More information can also be obtained by contacting the Federal Trade Commission listed above.
You can also download the notice here.