MARCH 31, 2022 NOTICE
Unauthorized Access to Microsoft Office 365-hosted Business Email Accounts
Summit BHC West Virginia, LLC d/b/a Highland Hospital (“Highland” or “Company”) is notifying its patients of a security event that may have impacted personal information.
Highland recently completed an investigation into the unauthorized access of select business email accounts on the Company’s Microsoft Office 365-hosted email system. These email accounts are completely separate from Highland’s internal network; this security event was isolated to these business email accounts.
We have determined there was unauthorized access, on an intermittent basis, to five business email accounts beginning on November 11, 2020. Notwithstanding a thorough investigation into these accounts, it is not possible to determine from available forensic evidence whether personal information was actually accessed during these periods of unauthorized account activity. All of the unauthorized actions observed within the accounts were focused on attempts to perpetrate payment fraud. All of these attempts were blocked. Highland is not aware of an actual or attempted misuse of personal information as a result of this incident.
Based on the data analysis that was performed and ultimately completed in late February, 2022, the files available within the affected e-mail accounts may have included: (1) patient contact information (such as patient name, guarantor name, address, email address); (2) Social Security number; (3) driver’s license number; (4) date of birth; (5) health insurance information (payor name, payor contract dates, policy information including type and deductible amount and subscriber number); (6) medical and/or treatment information (dates of service, location, services requested or procedures performed, diagnosis, prescription information, physician names, and Medical Record Numbers); and (7) billing, payment, and claims information (invoices, payment details, submitted claims and appeals, and patient account identifiers used by providers). Please note that not all of these data fields may have been involved for all individuals.
Highland is committed to protecting the information it maintains. After first detecting suspicious activity on October 26, 2021, Highland took immediate steps to secure its e-mail system. We haves continued to focus on strengthening our cyber-resiliency since that time. This has included, for example, adding multi-factor authentication and implementing new threat monitoring and prevention tools to further secure the Highland network against cyber threats.
Until June 30, 2022, individuals are encouraged to call toll-free (888) 829-6550 to learn additional information about the security event, ask questions, and determine if their personal information was stored within any of the affected e-mail accounts. The call center will be open Monday through Friday from 8 am – 10 pm Central, and on Saturday and Sunday from 10 am – 7 pm Central (excluding major U.S. holidays). Additional information on general steps individuals can take to monitor and safeguard their personal information can be found below. A complimentary subscription to IdentityWorksSM, an identity theft protection service offered by Experian®, will be available to individuals whose information was stored within the affected email accounts. Be prepared to reference engagement number B029798 as proof of eligibility for these services.
Individuals should carefully review credit reports and statements sent from providers as well as their insurance company to ensure that all account activity is valid; any questionable charges should be promptly reported to the provider’s billing office, or for insurance statements, to their insurance company.
This notice will remain active for at least 90 days.
IDENTITY PROTECTION REFERENCE GUIDE
1. Review your Credit Reports. We recommend that you monitor your credit reports for any activity you do not recognize. Under federal law, you are entitled every 12 months to one free copy of your credit report from each of the three major credit reporting companies. To order your free annual credit report, visit www.annualcreditreport.com, call toll-free (877) 322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s (“FTC”) website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. The three credit bureaus provide free annual credit reports only through the website, toll-free number or request form.
2. Place Fraud Alerts. You can place a fraud alert at one of the three major credit bureaus by phone and also via Experian’s or Equifax’s website. You can learn more about fraud alerts by contacting the credit bureaus or by visiting their websites:
P.O. Box 740241
Atlanta, GA 30374-0241
P.O. Box 9554
Allen, TX 75013
P.O. Box 2000
Chester, PA 19022-2000
3. Monitor Your Account Statements. We encourage you to carefully monitor your financial account statements for fraudulent activity and report anything suspicious to the respective institution or provider.
4. You can obtain additional information about the steps you can take to avoid identity theft and more information about fraud alerts and security freezes from the FTC. You may contact the FTC, Consumer Response Center at: 600 Pennsylvania Avenue NW, Washington, DC 20580, www.consumer.gov/idtheft, 1-877-IDTHEFT (438-4338), TDD: 1-202-326-2502.