Notice of Security Incident
A Notice to our Patients
Hudson Headwaters Health Network (“HHHN”) is committed to protecting the confidentiality and security of our patients’ information. Regrettably, this notice concerns an incident involving some of our patients’ information.
HHHN is part of the Adirondacks ACO, LLC (“Adirondacks ACO”), an accountable care organization, which is a healthcare organization consisting of a group of healthcare providers that analyzes quality metrics and the cost of care for its participating healthcare providers. Participating healthcare providers coordinate amongst themselves, and with each individual, to improve the individual’s quality of care. To help accomplish this function, Adirondacks ACO receives and analyzes patient information pertaining to the services we provide to patients. On May 6, 2019, we received notice from Adirondacks ACO that it recently discovered unauthorized remote access between March 2 and March 4, 2019, to an email account assigned to a joint employee of Adirondacks ACO and Champlain Valley Physician’s Hospital (“CVPH”), one of Adirondacks ACO’s participating healthcare providers. CVPH discovered the incident on March 4, 2019, and immediately secured the email account to prevent any further access and began an investigation. CVPH performed a comprehensive review of the account’s content and determined that emails and/or attachments reflected services performed by Adirondacks ACO related to its member healthcare providers, and included some HHHN patient information. The information may have included patients’ names, dates of birth, Medicare ID numbers or health insurance member numbers, and limited treatment and/or clinical information. In a limited number of instances, patients’ Social Security numbers were also included in the account.
This incident did not affect all HHHN patients, but only those patients who had information contained in the affected email account.
There is no indication that any patient information has been misused. However, we asked Adirondacks ACO to mail letters to our patients whose information was identified in the account. Adirondacks ACO has also established a dedicated toll-free call center to answer questions patients may have about the incident. If you have questions, please call 1-877-347-0178, from 9:00 a.m. to 9:00 p.m. Eastern time, Monday through Friday.
For patients whose Social Security number was contained in the email account, Adirondacks ACO is offering complimentary credit monitoring and identity protection services. We and Adirondacks ACO also recommend patients review any billing or explanation of benefits statements they receive from their healthcare insurers or healthcare providers. If you see services they did not receive, you should contact the insurer or provider immediately.
We regret any concern or inconvenience this incident may cause. We and Adirondacks ACO remain committed to protecting the confidentiality and security of our patients’ information. To help prevent something like this from happening in the future, Adirondacks ACO and CVPH continue to assess systems and implement safeguards to address risks. They are also reinforcing employee training on how to detect and avoid phishing emails.