Sport and Spine Rehab has become aware of a data security incident that may have involved the personal and protected health information of its patients. We have sent notifications to the potentially involved patients to inform them of this incident and to provide resources to assist them. On June 3rd 2017, Sport and Spine Rehab was the victim of a ransomware attack that encrypted the data stored on our servers. Within minutes, we were alerted to the attack, our computer network was shut down, and we began an investigation. We also began to take steps to decrypt the impacted data and return to our normal operations, both of which are now fully restored. While our investigation found no evidence to suggest that any files were opened nor information accessed by anyone outside of our organization, we are acting out of an abundance of caution to protect our patients from any unseen potential threats. We did determine that some files containing patient information were auto-encrypted/locked by the ransomware virus that infiltrated our old system. The compromised information could include patient names, addresses, dates of birth, Social Security numbers, and medical information.
We take the security of our patients? information very seriously and we have taken steps to prevent a similar event from occurring in the future, including strengthening our preventative security measures, stringent wiping of our system, locking down any access to our server with new protective programming, enhancing training of our employees to recognize and report potentially hazardous messages/programs, fortifying our firewall, and intensifying our backup and virus alert processes. We are also following the federal process for reporting this type of breach to the proper authorities.
The communication sent out to the potentially affected patients include information about the incident and steps to take in order to monitor and protect their personal information. Please note that only patients who were seen prior to May 1st, 2016 will have received the letter as the encryption took place within our previous software and server. Our new software and server were not attacked so information and files related to patients who were new to our office after May 1st, 2016 are not affected.
We have established a call center to answer questions about the incident and related concerns. The call center is available Monday through Friday from 8:00 a.m. to 6:00 p.m., Eastern Time and can be reached at 240-766-0300 option 7. We also have a toll-free number -(833) 827-3288. The privacy and protection of patient information is a top priority, and we deeply regret any inconvenience or concern this incident may cause.
The following information is provided to help patients or others wanting more information on steps they can take to protect themselves:
How do I protect my Health care and insurance identity?
Through our investigation has shown that information was only locked but not taken, it is always better to take precautions. With that in mind, we suggest that people contact their healthcare providers if bills don?t arrive on time, pay attention to the Explanation of Benefits forms from their insurance company to check for irregularities and contact their insurance company to notify them of possible medical identity theft or to ask for a new account number.
What steps can I take to protect my personal information?
- If you detect any suspicious activity on any of your accounts, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities.
- Obtain a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies. To order your credit report, free of charge once every 12 months, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting agencies is included in the e-mail and letter, and is also listed at the bottom of this page.
- Please notify your financial institution immediately of any unauthorized transactions made or new accounts opened in your name.
- You can take steps recommended by the Federal Trade Commission to protect yourself from identify theft. The FTC?s website offers helpful information at www.ftc.gov/idtheft.
- Additional information on what you can do to better protect yourself is included in your letter.
What should I do to protect myself from payment card/credit card fraud?
- We suggest you review your debit and credit card statements carefully for any unusual activity. If you see anything you do not understand or that looks suspicious, you should contact the issuer of the debit or credit card immediately.
How do I obtain a copy of my credit report?
- You can obtain a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies. To order your credit report, free of charge once every 12 months, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting agencies is included in the e-mail and letter, and is also listed at the bottom of this page:
How do I put a fraud alert on my account?
- You may consider placing a fraud alert on your credit report. This fraud alert statement informs creditors to possible fraudulent activity within your report and requests that your creditor contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact Equifax, Experian or TransUnion and follow the Fraud Victims instructions. To place a fraud alert on your credit accounts, contact your financial institution or credit provider. Contact information for the three nationwide credit reporting agencies is included in the letter and is also listed at the bottom of this page.
Contact information for the three nationwide credit reporting agencies is as follows:
- Equifax Security Freeze PO Box 105788 Atlanta, GA 30348 1-800-685-1111 ? ? www.equifax.com
- Experian Security Freeze PO Box 9554 Allen, TX 75013 1-888-397-3742 ? ? ? ? ?www.experian.com
- TransUnion (FVAD) PO Box 2000 Chester, PA 19022 1-800-888-4213 ? ? ? ? ? ?www.transunion.com
Contant information for your Attorney General:
Attorney General of Maryland -??1-888-743-0023
Attorney General of Virginia – (804) 786-2071
The ever-developing landscape of healthcare information technology provides us with vast possibilities. It gives us the valuable ability to share information between Doctors instantly, make quicker diagnoses and treatment plans, and ensure the best possible care for patients. We can ensure the storage of digital medical information forever without having to maintain large paper folders that can become damaged or lost (or potentially stolen!). Along with those advancements come some inevitable challenges. It is our Vision at Sport and Spine Rehab to inspire and empower a healthier, happier world. That includes happiness with the world of advanced technology and keeping your information safe from the dangers that may arise. We can?t do it alone. Everyone should remain vigilant as more of these ransomware viruses are emerging across the globe affecting businesses and individuals in every industry and neighborhood. We will be posting a blog about how to spot and report fake emails, phishing, and viruses. Please feel free to reach out to us with any questions or concerns you may have by phone or email at [email protected] . As always, we are here FOR you and BECAUSE of you. We truly appreciate and are honored that you have chosen to be a patient with us and we will continue to strive to provide you with the most excellent service, the highest quality care, the most advanced evidence-based treatment techniques and technology, and the best rehabilitative outcomes.
In health,
Cat Lovejoy, Director of Service Excellence
Sport and Spine Rehab