Adirondack Health is committed to protecting the confidentiality and security of our patients’ information. Regrettably, this notice concerns an incident involving some of that information.
Adirondack Health is part of the Adirondacks ACO (the “ACO”), an accountable care organization, which consists of various health care providers. ACO providers coordinate amongst themselves, and with each individual, to improve the individual’s quality of care. To help accomplish this function, the ACO receives and analyzes patient information pertaining to the services we provide to patients. On May 3, 2019, the ACO notified us that it recently discovered unauthorized remote access to an email account assigned to a joint employee of Adirondacks ACO and Champlain Valley Physician’s Hospital (“CVPH”), one of Adirondacks ACO’s partner hospitals. CVPH discovered the incident on March 4, 2019, and immediately secured the email account to prevent any further access and began an investigation. CVPH performed a comprehensive review of the account’s content and determined that emails and/or attachments reflected services performed by Adirondacks ACO related to its member providers and carriers, and included some patient information. The information may have included patients’ names, dates of birth, Medicare ID numbers or health insurance member numbers, and limited treatment and/or clinical information. In a limited number of instances, patients’ social security numbers were also included in the account.
This incident did not affect all Adirondack Health patients, but only some patients who had information contained in the affected email account.
There is no indication that any patient information was actually viewed or accessed, or that it has been misused. However, we asked the ACO to mail letters to those of our patients whose information was identified in the account. The ACO has also established a dedicated call center to answer questions for affected patients. If you believe you are affected but do not receive a letter by July 19, 2019, please call 1-877-347-0178 from 9:00 a.m. to 9:00 p.m. Eastern time, Monday through Friday. The letters provide additional information about how affected patients can protect themselves.
For patients whose Social Security number was contained in the email account, the ACO is offering complimentary credit monitoring and identity protection services. We and the ACO also recommend patients review any billing or explanation of benefits statements they receive from their health care insurers or health care providers. If they see services they did not receive, they should contact the health insurer or provider immediately.
We regret any concern or inconvenience this incident may cause. We and the ACO remain committed to protecting the confidentiality and security of our patients’ information. To help prevent something like this from happening in the future, the ACO and CVPH continue to assess systems and implement safeguards to address risks. They are also reinforcing employee training on how to detect and avoid phishing emails.