MedEvolve, a provider of practice management software to physicians and health facilities, is providing notice to current and former patients of one of MedEvolve’s customers, Premier Immediate Medical Care (“Premier”) involving the exposure of certain personal information.
What Happened? On or about May 11, 2018, MedEvolve discovered that an FTP containing a file with information related to certain Premier patients was inadvertently accessible to the internet. The file was placed on the FTP server in question as part of an isolated data transfer event. The server is not associated with MedEvolve’s customer facing “front office” software products, hosting operations, or medical billing services. Upon discovery, MedEvolve launched an investigation, with the help of third-party forensic investigators, to determine the contents of the file, how long the file was internet accessible, and whether the file was subject to unauthorized access. This investigation is ongoing. However, the investigation determined that the file was internet accessible from March 29, 2018 to May 4, 2018. The investigation also determined that one file was subject to unauthorized access on March 29, 2018. Additionally, we learned that a screenshot of the internet accessible file was taken and posted online in an article regarding this incident. The screenshot posted online contained the first names, city, state and zip code of fifteen (15) patients, but did not include patients’ last names or street addresses.
What Information Was Involved? The file that was inadvertently accessible contained certain information including name, billing address, telephone number, the identification of patient’s primary health insurer and the Social Security numbers for some of the individuals. The file did not contain any clinical information such as treatment or diagnosis or any financial information such as methods of payment.
What is MedEvolve Doing? MedEvolve takes the security of information of its clients and their patients very seriously. Upon discovery, MedEvolve immediately secured the portal in question and took steps to prevent further access. MedEvolve also hired a third-party forensic investigator to conduct an exhaustive investigation of this matter. As part of its ongoing commitment to the security of personal information in its care, MedEvolve working to implement additional safeguards and security measures to enhance the privacy and security of information in its systems.
Notification. MedEvolve is mailing letters to impacted participants and is providing those participants with two years of credit monitoring services through TransUnion. MedEvolve is also informing the U.S. Department of Health and Human Services, the required state regulators, and the three consumer reporting agencies about this incident.
Fraud Prevention Tips. MedEvolve encourages affected individuals to remain vigilant against incidents of identity theft and fraud and to seek to protect against possible identity theft or other financial loss by regularly reviewing their financial account statements, credit reports, and explanations of benefits for suspicious activity. Anyone with questions regarding how to best protect themselves from potential harm resulting from this incident, including how to receive a free copy of one’s credit report, and place a fraud alert or security freeze on one’s credit file, is encouraged to call 888-354-7159 between 9:00 a.m. and 9:00 p.m. ET, Monday through Friday, excluding major holidays.
STEPS YOU CAN TAKE TO PROTECT YOUR INFORMATION
The following information is provided in accordance with certain state legal requirements.
Monitor Your Accounts
Credit Reports. We encourage you to remain vigilant against incidents of identity theft and fraud by reviewing your account statements, explanation of benefits, and monitoring your free credit reports for suspicious activity and to detect errors. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report.
Fraud Alerts. At no charge, you can also have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it may also delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below:
P.O. Box 105069 Atlanta, GA 30348
P.O. Box 2002 Allen, TX 75013
P.O. Box 2000 Chester, PA 19016
Security Freeze. You may also place a security freeze on your credit reports. A security freeze prohibits a credit bureau from releasing any information from a consumer’s credit report without the consumer’s written authorization. However, please be advised that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services. If you have been a victim of identity theft and you provide the credit bureau with a valid police report, it cannot charge you to place, lift, or remove a security freeze. In all other cases, a credit bureau may charge you a fee to place, temporarily lift, or permanently remove a security freeze. Fees vary based on where you live, but commonly range from $3 to $15. You will need to place a security freeze separately with each of the three major credit bureaus listed above if you wish to place a freeze on all of your credit files. In order to request a security freeze, you will need to supply your full name, address, date of birth, Social Security number, current address, all addresses for up to five previous years, email address, a copy of your state identification card or driver’s license, and a copy of a utility bill, bank or insurance statement, or other statement proving residence. To find out more on how to place a security freeze, you can use the following contact information:
Equifax Security Freeze
P.O. Box 105788 Atlanta, GA 30348 1-800-685-1111
Experian Security Freeze
P.O. Box 9554 Allen, TX 75013 1-888-397-3742
P.O. Box 2000 Chester, PA 19016 1-888-909-8872
Additional Information. You can further educate yourself regarding identity theft, security freezes, fraud alerts, and the steps you can take to protect yourself against identity theft and fraud by contacting the Federal Trade Commission or your state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The Federal Trade Commission encourages those who discover that their information has been misused to file a complaint with them. Instances of known or suspected identity theft should be promptly reported to law enforcement, the Federal Trade Commission, and your state Attorney General. You have the right to file a police report if you ever experience identity theft or fraud. Please note that in order to file a crime report or incident report with law enforcement for identity theft, you will likely need to provide some kind of proof that you have been a victim. This notice has not been delayed as the result of a law enforcement investigation.
For Maryland residents, the Attorney General can be reached at: 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; 1-888-743-0023; and www.oag.state.md.us.
For North Carolina residents, the Attorney General can be contacted by mail at 9001 Mail Service Center, Raleigh, NC27699-9001; toll-free at 1-877-566-7226; by phone at 1-919-716- 6400; and online at www.ncdoj.gov.
Contact: Ashley Moore, firstname.lastname@example.org