A Notice to our Patients and their Guarantors
Conway Medical Center (“CMC”) is notifying individuals of an incident that involved personal information of some of its patients and patients’ financial guarantors.
What happened? Like many other companies, CMC was a recent victim of an email “phishing” scam that resulted in unauthorized access to a limited number of individual employee email accounts. “Phishing” involves scammers sending emails that look legitimate, but in reality, are fraudulent. The emails often have malicious links or documents within them that, when clicked, allow the scammer to gain access to the account – often without the knowledge of the email account user/owner. Companies all over the world are faced with the threat of these types of phishing scams every day, as scammers increasingly become more sophisticated. Unfortunately, phishing scams are often very hard to detect.
Upon discovery of the incident at issue on October 7, 2019, CMC promptly terminated the unauthorized access. We engaged outside experts to investigate the incident thoroughly to determine the full nature and scope of the access, to ensure our information technology systems are truly secure, and to identify (through a very tedious technical assessment and hand document review process) the exact emails that were actually acquired by the unauthorized third party. After expert analysis, it was determined that the unauthorized access for some email accounts was in or before July. Because of the way the email account(s) was accessed, certain emails potentially synchronized onto the computer of the unauthorized third party. As such, in an abundance of caution, CMC searched / hand-reviewed applicable emails to determine whether sensitive data was located within any of the emails in order to provide appropriate notice to affected individuals.
What information was involved? On November 20, 2019, CMC was alerted that the information within the email accounts included information such as name, address, social security number, date of birth, phone number, date of admission/discharge, CMC account number, amount owed, etc. for certain patients. Also included were the names, addresses, phone number, social security numbers, place of employment, etc. for the guarantors of some patient accounts.
Fortunately, the incident was limited solely to certain email account(s).
CMC’s medical records system was not affected at all.
What are we doing? CMC values the safety and security of patient information and is continuing to take steps to enhance its security measures to help prevent something like this from happening in the future.
In addition to the steps noted above, CMC is attempting to notify by letter (at the last known address) those individuals who may have been affected. We are also offering complimentary identity theft protection services to those whose financial data could have been included within the synchronized accounts.
What can you do? We recommend affected persons activate the protection services offered, and as always, remain vigilant and monitor account statements and credit reports carefully. Individuals should report discrepancies to law enforcement. Fraud alerts and security freezes also can be activated to help protect individuals.
For more information or if you have any concern that your information may have been at risk, please call toll-free 1-888-470-4111 between 8:00 a.m. – 5:00 p.m. EST Monday – Friday (excluding holidays).
CMC is continuing to take steps to enhance its security measures to help prevent something like this from happening in the future. We are fully committed to protecting your personal information and sincerely apologize for any concern this incident may have caused you.