Maxwell Aesthetics (“Maxwell”) in Nashville, Tennessee announced today that it has taken action after becoming aware of unauthorized access to certain patient information. Out of an abundance of caution, Maxwell is providing notice of this event to potentially impacted individuals, as well as certain regulators.
What Happened? On May 1, 2020, Maxwell discovered that its system had been infected with a malware that prevented Maxwell from accessing its files. Maxwell began working to restore its access while it investigated the incident. On May 13, 2020, Maxwell became aware that the unauthorized individuals that placed the malware on the Maxwell system also accessed certain patient data and exfiltrated it from its internal systems. Upon discovery, and with the assistance of third-party forensic specialists, Maxwell conducted a comprehensive review of the nature of the impacted information to determine the types of personal information at issue and to whom the information related.
What Information Was Involved? The investigation determined that at the time of the incident, the accessed information included patient names, partially coded terms relating to medical procedures, health insurance company numbers, and may have included patient dates of birth. To date, Maxwell is unaware of any actual or attempted misuse of the above-stated personal information as a result of this incident, and further, after a thorough examination of the information impacted in this incident, Maxwell found no indication that any patient bank account information, address, Social Security numbers, or photographs relating medical care were impacted by this incident.
What They Are Doing. The security of information in Maxwell’s care is among its highest priorities. Upon learning of this incident, Maxwell quickly took steps to investigate and eliminate access to information accessed by outside parties. In an abundance of caution, Maxwell is also directly notifying potentially affected individuals, so that they may take further steps to best protect their personal information, Although Maxwell is are unaware of any actual or attempted misuse of patient personal information as a result of this event, Maxwell has arranged to have Kroll protect their identity for 12 months at no cost as an added precaution.
What Potentially Affected Individuals Can Do. Maxwell’s notification to potentially impacted individuals includes information on obtaining a free credit report annually from each of the three major credit reporting bureaus by visiting www.annualcreditreport.com, calling 877-322-8228, or contacting the three major credit bureaus directly at: Equifax, P.O. Box 105069, Atlanta, GA, 30348, 800-525-6285, www.equifax.com; Experian, P.O. Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com; TransUnion, P.O. Box 2000, Chester, PA 19016, 800-680-7289, www.transunion.com. Potentially impacted individuals may also find information regarding identity theft, fraud alerts, security freezes and the steps they may take to protect their information by contacting the credit bureaus, the Federal Trade Commission or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should also be reported to law enforcement or the individual’s state Attorney General. Maxwell provided notice of this incident to the U.S. Department of Health and Human Services, as well as required state regulators.