Notice of Data Breach - February 2021
Dear Valued Patient, we are contacting you about a data breach that occurred at Cochise Eye and Laser. Please read all the information below and contact us at the number provided below for additional information.
What Happened and When:
We believe that on January 13, 2021, our information systems were attacked by “ransomware,” which we discovered and immediately removed that same day. A “ransomware” attack refers to an extortion scheme where cyber attackers intentionally prevent us from accessing our own information (through a process called “encryption”) and demand money or some other ransom in exchange for giving us access our own information again. Here, the ransomware attacked our scheduling and billing software by encrypting and/or deleting certain data. This made it impossible for us to access information in our scheduling system. This was designed to seek money from us by threatening our daily business functions.
What Was Accessed:
This may constitute a data breach because of the patient information accessed during the extortion. We believe that full names, dates of birth, home addresses, phone numbers, and in some cases social security numbers may have been accessed as part of the extortion attempt. The ransomware may have accessed “CPT” and “ICD” codes, which are billing codes used in the medical industry to explain diagnoses, services, and treatment. As a result, those accessing CPT and ICD codes could have access to certain patient diagnoses, services, and treatment.
Please understand that we keep all our actual patient health records (e.g., your “chart”) in physical files, meaning your actual records were never accessed by this ransomware. Nevertheless, because of the nature of the information that was accessed, we are taking this situation very seriously.
What We Have Done and Are Currently Doing to Investigate the Matter, Mitigate Harm to Patients, and Protect Against Future Breaches:
As already explained, we removed the ransomware the very same day it was discovered. Immediately after discovering the ransomware, we notified local and federal law enforcement agencies as well as the United States Department of Health and Human Services to notify them about the attack. Our IT specialist investigated this incident by tracing the source of the ransomware and determining that a remote access put in place to increase functionality between our offices had increased our vulnerability to cyber-attacks. We immediately removed this access. Finally, we substantially increased security protocols by no longer allowing remote access to the server, requiring all computers to be completely shut down at the end of day, upgrading our cyber security software, and restricting internet use by employees with stricter parameters on security settings.
To get business back on track, we are manually reloading data from our existing paper charts as well. If you were scheduled for a visit(s) after January 1, 2020, then please expect a call from us to reschedule your appointment(s).
Steps You Should Take to Protect Yourself from Potential Harm Resulting from this Data Breach:
We recommend placing a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. Call any one of the toll-free numbers for the three major credit bureaus listed below to set up a fraud alert. Once one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. The initial fraud alert stays on your credit report for one year, and you can renew it after one year.
Equifax: equifax.com or 1-800-685-1111
Experian: experian.com or 1-888-397-3742
TransUnion: transunion.com or 1-888-909-8872
You should request that all three credit reports be sent to you, free of charge, for your review. Even if you find no suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit reports periodically can help you spot problems and address them quickly. If your personal information has been misused, visit the FTC’s site at IdentityTheft.gov to get recovery steps and to file an identity theft complaint. Your complaint will be added to the FTC’s Consumer Sentinel Network, where it will be accessible to law enforcers for their investigations.
You may also contact the Federal Trade Commission (FTC) about identity theft concerns by calling toll-free at 1-877-IDTHEFT (877-438-4338)
Finally, you should also consider contacting the Internal Revenue Service (IRS) toll-free at 800-908-4490 regarding identity theft matters. The IRS also has several online resources discussing identity theft, which you can access at this web address: https://www.irs.gov/newsroom/taxpayer-guide-to-identity-theft.
Contact Procedures to Ask Questions or Learn Additional Information:
We are committed to patient privacy and continued exceptional patient care. We apologize for the inconvenience and appreciate your patience with our staff as they navigate through these challenging times. You may contact our office manager, Dawn Kuder toll-free at 1-855-567-4878 ext. 115, with any questions or concerns regarding this matter.