Privacy Incident Notice

PRIVACY INCIDENT AT PARTNERS HEALTHCARE - February 5, 2018

On May 8, 2017, Partners HealthCare System, Inc. (“Partners”) became aware that our computer network had been affected by a sophisticated, malicious computer program introduced by an unauthorized third party.  Our monitoring systems identified suspicious activity, and we immediately blocked some of this malware and began an investigation working with third party forensic consultants to identify the problem and mitigate its impact. 

We were able to determine that the malware was not specifically targeted to impact the Partners environment, Partners operations or any information maintained by Partners.  We also confirmed that there was no access to our electronic medical record system.  As we continued the investigation, however, we became aware that the malware may have resulted in unauthorized access to certain data resulting from user activity on affected computers from May 8, 2017 to May 17, 2017.  As impacted computers were identified, Partners implemented aggressive containment measures to mitigate further impact.     

As part of our ongoing review, we became aware on July 11, 2017 of data that appeared to possibly involve personal and health information.  The impacted data was not in any specific format, and it was mixed in together with computer code, dates, numbers and other data, making it very difficult to read or decipher.  After an extensive manual data analysis completed in December 2017, we are notifying individuals whose personal and health information may have been involved, in an abundance of caution.  Based on the review, the information involved may have included certain types of protected health information for patients, including first and last name, date(s) of service, and/or certain limited amounts of clinical information such as procedure type, diagnosis, and/or medication. For some patients, Social Security Numbers and financial account data may have been involved.   However, we are currently not aware of any misuse of patients’ health information 

Partners is informing individuals whose personal and health information may have been involved by mailing a letter to their last known address. Since it is possible we have outdated contact information for some individuals, we are also providing notice on our website as permitted by HIPAA. To learn whether your information was involved and, if so, what types of information, or if you have other questions about the incident, please call (877) 218-0056, Monday through Friday, between 9:00 am and 7:00 p.m. Eastern Time (Closed on U.S. observed holidays). Please provide the following ten digit reference number when calling: 3217020118.This substitute notice and toll-free number will remain active for at least 90 days. 

Partners has enhanced its security program, controls and procedures as a result of this incident.  We are also providing information below about various steps patients can take to protect against potential misuse of their protected health information and to protect their identity.  Thank you.

STEPS YOU CAN TAKE TO PROTECT YOUR PROTECTED HEALTH INFORMATION 

Review Your Account Statements. Carefully review statements sent to you from Partners as well as from your insurance company to ensure that all of your account activity is valid.  Report any questionable charges promptly to the Partners Billing Office at the phone number listed on the statement, or for insurance statements, to your insurance company. 

Provide any updated personal information to your health care provider.  Your health care provider’s office will ask to see a photo ID to verify your identity.  Please bring a photo ID with you to every appointment if possible.  Your provider’s office will also ask you to confirm your date of birth, address, telephone, and other pertinent information so that we can make sure that all of your information is up-to-date.   Please be sure and tell your provider’s office when there are any changes to your information.  Carefully reviewing this information with your provider’s office at each visit helps us to avoid problems, and address them quickly should there be any discrepancies. 

Consult the Federal Trade Commission.  For more guidance on general steps you can take to protect your information, you also can contact the Federal Trade Commission: 

Website:                           https://www.consumer.ftc.gov/topics/privacy-identity-online-security 

Postal Address:                 Federal Trade Commission
                                          600 Pennsylvania Avenue, NW
                                          Washington, DC 20580

Telephone:                       (202) 326-2222 

STEPS YOU CAN TAKE TO PROTECT YOUR IDENTITY 

Security FreezeA security freeze prohibits a credit bureau from releasing any information from your credit report without your written consent.  Please be aware, however, that placing a security freeze on your credit report may delay or prevent the timely approval of any requests you make for new loans, credit, mortgages, or other services.  To place a security freeze on your file, you must send a written request to each of the three credit bureaus by regular, certified, or overnight mail at the addresses below:               

Equifax Security Freeze

Experian Security Freeze

TransUnion Security Freeze        

P.O. Box 105788

P.O. Box 9554    

 P.O. Box 2000

Atlanta, GA 30348

Allen, TX 75013

Chester, PA 19016

 

 

 

When requesting a security freeze, you will need to provide the following information: (1) your full name; (2) your social security number; (3) your date of birth; (4) if you have moved in the past five years, the addresses where you have lived during that period; (5) proof of your current address, such as a current utility or telephone bill; and (6) a legible copy of your government-issued identification card, such as a state driver's license, state ID card, or military ID card.  If you have been a victim of identity theft, and you provide the credit reporting agency with a valid police report, it cannot charge you to place, lift, or remove a security freeze.  In all other cases, the credit reporting agency may charge you up to $5.00 each to place, temporarily lift, or permanently remove a security freeze.  You will need to include payment by check, money order, or major credit card.  Do not send cash through the mail.

The credit reporting agencies have three business days after receiving your request to place a security freeze on your credit report.  The credit bureaus also must send written confirmation to you within five business days and provide you with a unique personal identification number (PIN) or password, or both, that you can use to authorize the removal or lifting of the security freeze.

To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze, as well as the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report to be available.  The credit reporting agencies have three business days after receiving your request to lift the security freeze for those specific entities or individuals or for the specified period of time.

To remove the security freeze completely, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze.  The credit bureaus have three business days after receiving your request to remove the security freeze. 

Review Your Account Statements.  Carefully review your bank, credit card, and other account statements every month to ensure that all of your account activity is valid.  Report any questionable charges promptly and in writing to the card or account issuer. 

Check Your Credit Report. Check your credit report to ensure that all of your information is correct.  You can obtain a free credit report once per year by visiting www.annualcreditreport.com or by calling 877-322-8228.   If you notice any inaccuracies, contact the relevant credit bureau promptly at the telephone number listed on the report.  You can also report any suspicious activity to your local law enforcement, in which case you should request a copy of the police report and retain it for your records. 

Fraud Alert. You have the right to request that the credit bureaus place a fraud alert on your file.  A fraud alert tells creditors to contact you before opening any new accounts or increasing credit limits on your existing accounts.  You need to contact only one of the three credit bureaus to place a fraud alert; the one you contact is required by law to contact the other two.  

For Fraud Alerts, the credit bureaus can be reached at: 

                Equifax                                                 Experian                                              TransUnion

                P.O. Box 740241                                P.O. Box 9532                                     P.O. Box 2000

                Atlanta, GA  30374                           Allen, TX  75013                                 Chester, PA 19016

                800-525-6285                                     888-397-3742                                     888-909-8872

               www.equifax.com                          www.experian.com                       www.transunion.com

 

Consult the Federal Trade CommissionFor more guidance on steps you can take to protect your information, you also can contact the Federal Trade Commission at www.ftc.gov/idtheft, or at 877-ID-THEFT (877-438-4338), or at the Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580. 

If you are a Massachusetts resident, you also have the following rights:

  • Right to obtain any police report filed in regard to this incident. 
  • Right to file a police report if you are the victim of identity theft and obtain a copy of it.
  • Right to request that the credit bureaus place a security freeze on your file.  Please refer to the enclosed information sheet for instructions on placing a security freeze on your credit report and additional steps you can take to further reduce any potential risk to you.