Notice of Security Incident (11/13/2015)
At OH Muhlenberg, LLC, the privacy and security of our patients’, employees’ and providers’ information is a top priority. On July 1, 2015, OH Muhlenberg, LLC acquired the hospital operations of Muhlenberg Community Hospital. Prior to that time, the Muhlenberg hospital had been owned and operated by Muhlenberg Community Hospital since 1938. As part of the acquisition, OH Muhlenberg, LLC acquired substantially all of the assets of Muhlenberg Community Hospital, including its computer systems, patient records and other records. Regrettably, we are providing notice of a security incident involving some of that information. As a result, we are providing this notice whether or not you were a patient, employee, or provider prior to July 1, 2015, and whether or not particular data was transmitted prior to that date.
On September 16, 2015, the FBI notified the Hospital of suspicious network activity involving third parties. Upon learning this information, we took immediate action, including initiating an internal investigation, and we also engaged a leading forensic IT firm to investigate this matter. Based upon this review, we have confirmed that a limited number of computers were infected with a keystroke logger designed to capture and transmit data as it was entered onto the affected computers. The infection may have started as early as January 2012.
The affected computers were used to enter patient financial data and health information; information about persons responsible for a patient’s bill; employee/contractor data; and provider information, including potentially your name, address, telephone number(s), birthdate, Social Security number, driver’s license/state identification number, medical and health plan information (such as your health insurance number, medical record number, diagnoses and treatment information, and payment information), financial account number, payment card information (such as primary account number and expiration date), employment-related information, and credentialing information (such as Drug Enforcement Administration number, National Provider Identifier, and State licensure number). We also believe that the malware could have captured username and password information for accounts or websites that were accessed by employees, contractors, or providers using the affected terminals.
The Hospital is committed to maintaining the privacy of its patients, employees, and providers, and takes precautions for the security of personal and medical information. Upon learning of the incident, the Hospital took prompt steps to address and contain it, including immediately blocking the external unauthorized IP addresses, as well as taking steps to disable the malware. The Hospital continues to enhance the security of its systems and is working with the FBI during its investigation.
While we have no indication that the data has been used inappropriately, out of an abundance of caution, we are providing this notice to individuals whose information was maintained in the Hospital’s electronic patient records database, to persons employed by or contracted for specific services by the Hospital on and after January 1, 2012, as well as to providers credentialed or re-credentialed in 2012 or later. We want to make you aware of steps you can take to guard against possible identity theft or fraud:
- Enroll in Identity Protection Services. We are offering a complimentary one-year membership in identity protection services through a top identity monitoring services company. These services help detect possible misuse of personal information and provide identity protection services focused on immediate identification and resolution of identity theft, are completely free to you, and enrolling in this program will not hurt credit scores.
- Explanation of Benefits Review. We recommend that you regularly review the explanation of benefits statements that you receive or review for persons whose medical bills you assist with or pay. If you identify services listed on the explanation of benefits forms that were not received, please immediately contact the insurer.
- Check Credit Reports. We recommend that you carefully check credit reports for accounts or inquiries you do not recognize. If you see anything you do not understand, call the credit agency immediately. If you find any suspicious activity on the credit reports, call your local police or sheriff's office, and file a police report for identity theft and get a copy of it. You may need to give copies of the police report to creditors to clear up credit records.
- Review Payment Card Statements. We recommend that you review your credit and debit card account statements as soon as possible in order to determine if there are any discrepancies or unusual activity listed. You should remain vigilant and continue to monitor your statements for unusual activity going forward. If you see anything you do not understand or that looks suspicious, or if you suspect that any fraudulent transactions have taken place, you should call the bank that issued your credit or debit card immediately.
- Consult the Identity Theft Protection Guide. Please review the “Information about Identity Theft Protection” reference guide, available here, which describes additional steps that you may take to help protect against identity theft, including recommendations by the Federal Trade Commission regarding identity theft protection and details on placing a fraud alert or a security freeze on credit files.
Again, as of the date of this letter, we have no indication that any data has been used inappropriately. If you have questions or would like any additional information about this incident, we have established a call center to answer your questions. The call center is open 9 a.m.-9 p.m. EST and may be reached at 877-271-1568 from anywhere within the United States or at 503-520-4450 from outside the United States (tolls may apply). We sincerely regret any inconvenience this incident presents to you.
DeAnn Tucker, RHIA, CHPS, CCS
Director of Privacy & Security
OH MUHLENBERG, LLC