Christie Business Holdings Company, P.C. (“Christie Clinic”) is providing notice of a recent event that may affect the privacy of certain patient information. In an abundance of caution, we are notifying potentially impacted individuals so that they may take additional steps to better protect their personal information, should they feel it is appropriate to do so. We do not have any evidence of identity theft or misuse of personal information as a result of this incident, however we take this incident seriously, and this letter provides details of the incident, our response, and steps individuals may take to better protect against possible misuse of their information, should they feel it appropriate to do so.
What Happened? Christie Clinic recently discovered suspicious activity related to one of its business email accounts. This event did not impact Christie Clinic’s computer systems, electronic medical record, MyChristie patient portal, or patient care. The suspicious activity was occurring with respect to only a single user email account. Christie Clinic promptly launched an internal investigation to determine the nature and scope of this incident, and contacted federal law enforcement and worked with them to mitigate the impact of the unauthorized access. We also engaged a leading data forensics firm, and on January 27, 2022, Christie Clinic’s investigation confirmed that there was unauthorized access to the affected email account from July 14, 2021 to August 19, 2021. The investigation indicated that the purpose of the unauthorized access was to intercept a business transaction between Christie Clinic and a third party vendor. This investigation was unable to determine to what extent email messages in the account were actually viewed or accessed by an unauthorized actor. As a result, Christie Clinic undertook a review to identify the full scope of information that could have been contained in the affected email account to determine whether protected information was potentially impacted. On March 10, 2022, Christie Clinic’s review determined that the impacted account MAY have contained certain information related to certain individuals. On March 25, 2022, Christie Clinic provided written notice to all affected individuals whose information was identified in its review.
What Information Was Involved? Christie Clinic’s analysis revealed that the types of information held by Christie Clinic and potentially in the affected email account MAY include name and: address, Social Security number, medical information, and health insurance information. The unauthorized actor did not have access to the electronic medical record, MyChristie patient portal, or Christie Clinic’s network.
How Will Individuals Know If They Are Affected By This Incident? Based on the nature of access to the single user’s email account, Christie Clinic and our professional forensic investigators have concluded that the extent of the access is unknown and cannot be determined. Out of caution, we are sending notice to all individuals.
What is Christie Clinic Doing? Christie Clinic takes the confidentiality, privacy, and security of information in our care seriously. Upon discovery, we notified federal law enforcement, steps were taken to secure the impacted account and we immediately commenced an investigation to confirm the nature and scope of the incident. We have taken steps to implement additional safeguards for Christie Clinic and its patients. We already employ industry-leading network security solutions and perform regular and ongoing data security and privacy training.
Has the information been misused? At this time, there is no evidence that there has been any use, or attempted use of the information potentially exposed in this incident.
What You Can Do. Christie Clinic encourages individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and to monitor free credit reports for suspicious activity and to detect errors. Additional steps individuals can take is provided in the below “Steps You Can Take to Protect Personal Information.”
For More Information. Christie Clinic has established a dedicated assistance line at 866-915-5006 (toll-free) for any questions individuals may have.
Steps You Can Take To Protect Personal Information
Under U.S. law individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report, place a fraud alert, or a security freeze. Contact information for the credit bureaus is below.
Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the three major credit reporting bureaus listed below.
As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a credit freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report. To request a security freeze, you will need to provide the following information:
- Full name (including middle initial as well as Jr., Sr., II, III, etc.);
- Social Security number;
- Date of birth;
- Addresses for the prior two to five years;
- Proof of current address, such as a current utility bill or telephone bill;
- A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.); and
- A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if you are a victim of identity theft.
Should you wish to place a fraud alert or credit freeze, please contact the three major credit reporting bureaus listed below:
Equifax, P.O. Box 105069, Atlanta, GA, 30348, 1-800-685-1111, www.equifax.com; Experian, P.O. Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com; TransUnion, P.O. Box 2000, Chester, PA 19016, 800-680-7289, www.transunion.com. Potentially impacted individuals may also find information regarding identity theft, fraud alerts, security freezes and the steps they may take to protect their information by contacting the credit bureaus, the Federal Trade Commission or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should also be reported to law enforcement or the individual’s state Attorney General.