Notice of Data Privacy Event
SOUTH BEND, INDIANA – May 26, 2017 – Although unaware of any actual or attempted fraudulent misuse of patient information, Beacon Health System (“Beacon”) is notifying approximately 1,200 patients that records were accessed without proper authorization by a former employee.
What Happened? After an audit of an employee access to medical records, Beacon discovered, on or around March 30, 2017, that an employee accessed some patient records without authorization between March of 2014 to March of 2017. Beacon immediately launched an investigation to determine the scope and nature of this incident. When interviewed, the employee admitted that certain patient medical record files were accessed out of curiosity after patient Emergency Room visits. While the employee may have had authorization to view records in certain circumstances, the employee viewed patient records without a permissible reason. The employee denied taking or misusing any information, and we have no evidence that any information was used to commit fraud or otherwise misused. This investigation involved the assistance of a third-party forensic investigation firm.
What Information Was Involved? While our investigation is ongoing, to date, we have no evidence of any actual or attempted misuse of patient information as a result of this incident. The information affected may include the following patient information: first and last name; Social Security number; age; diagnosis; room number; acuity of illness; chief complaint; and potentially financial account information and/or health insurance coverage information.
What We Are Doing. The confidentiality, privacy, and security of our patient health information is one of our highest priorities. We have stringent security measures in place to protect the security of information in our possession. Beacon is reviewing employee training curriculum and is implementing new procedures to reduce the likelihood that an incident like this will happen in the future. While we are unaware of any actual or attempted misuse of patient information, we are offering complimentary access to 12 months of free identity monitoring and identity restoration services with Experian. We are also notifying the U.S. Department of Health and Human Services (HHS) of this incident.
There are additional actions individuals can consider taking to reduce the chances of identity theft or fraud. Please refer to www.experian.com/fraudresolution for this information.
To further protect against possible identity theft or other financial loss, we encourage individuals to remain vigilant, to review their account statements, and to monitor their credit reports for suspicious activity. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit bureaus. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report.
We recommend that individuals regularly review any Explanation of Benefits statements that they receive from their insurer. If individuals see any service that they believe they did not receive, they should contact the insurer at the number on the statement. If individuals do not receive regular Explanation of Benefits statements, contact the insurer and request that they send such statements following the provision of services in their name or number.
Individuals may want to order copies of their credit reports and check for any items or medical bills that they do not recognize. If they find anything suspicious, they can call the credit reporting agency at the phone number on the report. We advise individuals to keep a copy of this notice for their records in case of future problems with their records. Individuals may also want to request a copy of their medical records from their provider, to serve as a baseline.
At no charge, individuals can also have these credit bureaus place a “fraud alert’ on their file that alerts creditors to take additional steps to verify an individual’s identity prior to granting credit in their name. Note, however, that because it tells creditors to follow certain procedures to protect individuals, it may also delay their ability to obtain credit while the agency verifies their identity. As soon as one credit bureau confirms an individual’s fraud alert, the others are notified to place fraud alerts on their file. Should individuals wish to place a fraud alert, or should they have any questions regarding their credit report, they may contact any one of the agencies listed below.
P.O. Box 105069
Atlanta, GA 30348
P.O. Box 2002
Allen, TX 75013
P.O. Box 2000
Chester, PA 19022-2000
Individuals may also place a security freeze on their credit reports. A security freeze prohibits a credit bureau from releasing any information from a consumer’s credit report without the consumer’s written authorization. However, please be advised that placing a security freeze on a credit report may delay, interfere with, or prevent the timely approval of any requests an individual makes for new loans, credit mortgages, employment, housing or other services. Indiana residents can request a credit freeze free of charge. There is no fee for Indiana residents to place, temporarily lift, remove, or request a new password or PIN.
If an individual have been a victim of identity theft, and they provide the credit bureau with a valid police report, it cannot charge them to place, lift or remove a security freeze. In all other cases, a credit bureau may charge someone a fee to place, temporarily lift, or permanently remove a security freeze. Individuals will need to place a security freeze separately with each of the three major credit bureaus listed above if they wish to place the freeze on all of their credit files.
To find our more on how to place a security freeze, they can use the following contact information:
|Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
(NY residents please call
|Experian Security Freeze
P.O. Box 9554
Allen, TX 75013
P.O. Box 2000
Chester, PA 19022-2000
For Indiana Residents – Protected Person Security Freeze
As part of an ongoing effort by the Attorney General’s Office to help consumers protect themselves from identity theft and safeguard their credit, the Legislature in 2014 passed a new state law, Senate Enrolled Act 394 of 2014, creating the Protected Person Security Freeze. Because identity thieves could attempt to steal the information of individuals such as children or disabled adults who have clean credit history in order to assume their identities and perpetrate fraud, the 2014 law offers a security freeze for protected consumers, similar to the credit freeze for adults. Parents can use it to protect their children from identity theft even if the minors don’t have credit yet. For mentally disabled adults who also should be protected against identity theft, their legal guardians can register them for the security freeze.
Below are links to the three credit bureaus’ Protected Person Security Freeze sites. For the free service, each of the three credit bureaus requires that consumers register a minor or a protected consumer in writing, by mail, rather than online. And each credit bureau has a slightly different format for registering for a security freeze for a minor or other protected consumer, so read the directions carefully.
Directions for registering for a credit freeze for a minor or protected person from Equifax are at this link:
At this link, scroll down to the final two paragraphs on the Experian page for information on a security freeze for a protected consumer:
Directions for registering for a credit freeze for a minor or protected person from TransUnion are at this link:
Consumers who have questions about the Protected Person Security Freeze can contact the Attorney General’s Consumer Protection Division.
Individuals can further educate themselves regarding identity theft, fraud alerts, security freezes, and the steps they can take to protect themselves, by contacting their state Attorney General or the Federal Trade Commission. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue, NW, Washington, DC 20580; www.ftc.gov/idtheft; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Individuals should report known or suspected identity theft or fraud to law enforcement, the FTC, and their state Attorney General.
For More Information. We recognize individuals may have questions that are not answered in this letter. We have established a toll-free hotline to assist them with questions regarding this incident. This hotline can be reached at (888) 729-1602 Monday through Friday from 9:00 a.m. to 9:00 p.m. EST.