Healthcare Resource Group, Inc. (“HRG”) is providing notice on behalf of Orleans Community Health (“Orleans”) of an incident that may affect the security of certain personal information relating to current and former Orleans patients. This notice is regarding the same event which HRG provided notice of on April 7, 2020. Since April 7, 2020, HRG received approval from Orleans to provide this notice on behalf of Orleans. While, to date, HRG has no evidence of actual misuse of the information present in the account, in an abundance of caution, HRG is providing notice of this event.
HRG provided medical billing services to Orleans. On December 31, 2019, HRG determined that an HRG employee’s email account was subject to unauthorized access between November 4, 2019, and November 30, 2019. HRG was unable to determine what, if any, emails and attachments within the account were subject to unauthorized access. HRG was only able to confirm that the email account was subject to unauthorized access. HRG then enlisted the services of a third-party firm to review the contents of the email account in order to determine whether it contained any sensitive information. The time-intensive review of the email account concluded on February 27, 2020. Through this review, HRG determined that certain patient records belonging to Orleans were present in the account at the time of the unauthorized access. HRG notified Orleans about the event on March 11, 2020. At this time, HRG is unaware of any actual misuse of personal information as a result of this event.
The information potentially impacted by this event varied by an individual but included first and last names and one or more of the following data elements: Social Security number, driver’s license number, date of birth, medical record number, patient account number, treatment information, health insurance information, and medical billing or claims information.
On April 7, 2020, HRG began mailing notice letters to affected individuals for whom it has address information. On [date], HRG mailed notice letters to the patients who sought services from Orleans for whom it has address information after receiving approval from Orleans to do so. The notice letter includes an offer of access to 12 months of credit monitoring and identity theft restoration services at no cost to the individual. In addition, the notice encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements credit reports, and explanation of benefits forms for suspicious activity and report any suspicious activity immediately to their insurance company, health care provider, or financial institution.
HRG takes this incident and security of personal information in its care seriously. HRG moved quickly to investigate and respond to this incident, assess the security of relevant HRG systems, and notify potentially affected individuals. In response to this event, HRG is reviewed and enhanced existing policies and procedures. HRG reported this incident to law enforcement and relevant regulatory authorities. HRG and Orleans are also notifying potentially impacted individuals so that they may take further steps to protect their information, should they feel it is appropriate to do so.