On October 26, 2023, we received a notification that one of our employees had an external forward setup going to a Gmail account. We engaged our existing managed IT Company to perform a cybersecurity forensic analysis and retained cybersecurity legal counsel to assist in addressing the potential situation.
The investigation determined that an unauthorized third party gained access to one of our employee’s email accounts and set up an external forwarding rule. This external forwarding rule sent copies of all emails the employee received from September 4, 2023 – October 31, 2023 to a Gmail account that did not belong to the employee or anyone at The Foleck Center. Our IT Company assisted us with locking down the affected user, blocking sign-in access for the affected user’s email address, and blocked the ability for other users to set mailbox rules for external forwarding. Following the investigation, the contents of the affected email account were exported, and the extrapolated data was reviewed to compile a list of individuals who may be impacted by this incident.
It was unfortunately not possible to determine which, if any, specific emails were accessed or read by the unauthorized third party beyond those that were forwarded between September 4 and October 31 of this year, so in an abundance of caution, we are directly notifying anyone whose name appeared in any email in that email account. The limit of the third-party’s access was the potential viewing of the emails on the one employee account. The data in those
emails possibly contained patient names, addresses, dates of birth, employer name and address, dates and office locations of treatment/appointments, employer name and address, our patient and system ID numbers, and insurance information. A few emails also contained social security and driver’s licenses numbers; however, those individuals are being separately notified. Our patients’ medical records are stored on our independent third-party vendor site and remained secure.
Securing our patients’ personal information is important to us. Accordingly, we have implemented additional security measures to protect information from future unauthorized access, however unlikely it may be. This includes providing additional HIPPA training to our employees above our existing several-times-a-year-sessions and further improving password and network security. Our cybersecurity counsel is also assisting us with updating our policies and systems to increase security, as well as response should an incident occur in the future. Please be assured that we have taken every step necessary to address the incident.
We encourage all of our patients to remain vigilant and monitor their credit reports for suspicious activity. A free credit report can be obtained from each of the three credit bureaus by calling 1-877-322-8228. A “fraud alert” can also be placed on a credit file at no charge, which alerts creditors to take additional steps to verify an identity prior to granting credit. Please note, placing a fraud alert may delay the ability to obtain credit while the agency verifies the identity.
As soon as one credit bureau confirms the fraud alert, the others are notified to place fraud alerts on the individual’s file. The credit bureaus listed below can be contacted to place an alert on an account or with any questions regarding a credit report.
For more information regarding identity theft please visit the Computer Crime Information and Resources website run by the Office of the Attorney General of Virginia at https://www.oag.state.va.us/CCSWeb2/. That office can also be contacted at:
Office of the Attorney General
Computer Crime Section
202 North Ninth Street
Richmond, VA 23219
We sincerely apologize for the inconvenience and concern this incident may have caused our patients. Our patients’ information privacy is important to us and we will keep them informed of any developments in the investigation which may be of importance.
If any questions or concerns, please contact us at 1-800-672-8079 between the hours of 9:00 a.m. and 5:00 p.m. or by sending an email message to Michelle Vaszil at email@example.com. Please also continue to check our website for updated information.