Notice to Patients of a Phishing Incident
Imperium Health Management, LLC (“Imperium”) is committed to protecting the confidentiality of the information it maintains. This notice describes an incident that may have involved information for patients of some of the physician practices it provides services to, measures that Imperium has taken, and some steps patients can take in response. At this time, Imperium has no evidence that any patient information was in fact viewed, accessed, or acquired, or that it will be used in a way that would cause financial harm to patients.
Two employees at Imperium were victims of a phishing email scheme, which means that someone sent these employees fake emails designed to trick recipients into providing information. On April 21 and April 24, 2020, these employees clicked on malicious links in emails that appeared to be legitimate but were not, and inadvertently disclosed their email account credentials to unauthorized parties. As a result, unauthorized parties gained access to the two employees’ email accounts. Imperium immediately launched an investigation of the phishing incident, and learned on June 18, 2020, that patient information in the two Imperium employees’ email accounts may have been visible to the unauthorized parties, including patient names, addresses, dates of birth, medical record numbers, account numbers, health insurance information, Medicare numbers, Medicare Health Insurance Claim Numbers (which may contain Social Security numbers), and limited treatment and clinical information. To date, Imperium has found no evidence that any personal information was in fact viewed, accessed, or acquired, but is notifying patients as a precautionary measure.
What did Imperium do in response to this incident?
Upon learning of this incident on April 23, 2020, Imperium immediately launched an investigation, disabled the employees’ email accounts, and provided them with new email accounts. Imperium also blocked access from Imperium’s network to the website associated with the malicious links contained in the phishing emails to prevent any other employees from accessing the malicious website.
A leading cyber security firm was hired to assist Imperium with the investigation. The cyber security firm concluded the unauthorized parties only had access to these two Imperium employees’ email accounts, and did not access any other Imperium information systems. To date, Imperium has found no evidence that any personal information was in fact viewed, accessed, or acquired.
Imperium has taken actions to help prevent a similar security incident in the future. These actions include educating employees on how to identify and avoid phishing emails and implementing additional security measures, including multi-factor authentication for remote access to its systems and new protocols for the secure transfer of personal information.
What is Imperium doing to protect patients?
Beginning on August 17, 2020, Imperium will be mailing letters to patients whose information may have been involved in this incident and has established a dedicated, toll-free call center to answer questions that patients may have. For those patients whose Medicare Health Insurance Claim Numbers (which may contain Social Security numbers) may be involved in this incident, Imperium is offering complimentary credit monitoring and identity protection services. If you have questions, please call 855-223-7519, Monday – Friday, from 8:00 a.m. to 8:00 p.m., and Saturday – Sunday, 10:00 a.m. to 7:00 p.m., Central Daylight Time.
Imperium encourages you to remain vigilant for incidents of fraud by monitoring your insurance and physician statements If you see services on these statements that you did not receive, please contact your insurer or provider immediately.
Imperium deeply regrets any concern or inconvenience this incident may cause you. Imperium has taken actions to help prevent a similar security incident in the future. These actions include re-educating employees on how to identify and avoid phishing emails and implementing additional security measures, including multi-factor authentication for remote access to its systems and new protocols for the secure transfer of personal information.
ADDITIONAL STEPS YOU CAN TAKE
It is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:
- Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111
- Experian, PO Box 2002, Allen, TX 75013, www.experian.com, 1-888-397-3742
- TransUnion, PO Box 2000, Chester, PA 19016, www.transunion.com, 1-800-916-8800
If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows:
- Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue NW, Washington, DC 20580, 1-877-IDTHEFT (438-4338), www.ftc.gov/idtheft
Fraud Alerts: There are two types of general fraud alerts you can place on your credit report to put your creditors on notice that you may be a victim of fraud—an initial alert and an extended alert. You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An initial fraud alert stays on your credit report for one year. You may have an extended alert placed on your credit report if you have already been a victim of identity theft with the appropriate documentary proof. An extended fraud alert stays on your credit report for seven years.
To place a fraud alert on your credit reports, contact one of the nationwide credit bureaus. A fraud alert is free. The credit bureau you contact must tell the other two, and all three will place an alert on their versions of your report.
For those in the military who want to protect their credit while deployed, an Active Duty Military Fraud Alert lasts for one year and can be renewed for the length of your deployment. The credit bureaus will also take you off their marketing lists for pre-screened credit card offers for two years, unless you ask them not to.
Credit or Security Freezes: You have the right to put a credit freeze, also known as a security freeze, on your credit file, free of charge, which makes it more difficult for identity thieves to open new accounts in your name. That’s because most creditors need to see your credit report before they approve a new account. If they can’t see your report, they may not extend the credit.
How do I place a freeze on my credit reports? There is no fee to place or lift a security freeze. Unlike a fraud alert, you must separately place a security freeze on your credit file at each credit reporting company. For information and instructions to place a security freeze, contact each of the credit reporting agencies at the addresses below:
- Experian Security Freeze, PO Box 9554, Allen, TX 75013, www.experian.com
- TransUnion Security Freeze, PO Box 2000, Chester, PA 19016, www.transunion.com
- Equifax Security Freeze, PO Box 105788, Atlanta, GA 30348, www.equifax.com
You'll need to supply your name, address, date of birth, Social Security number and other personal information.
After receiving your freeze request, each credit bureau will provide you with a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.
How do I lift a freeze? A freeze remains in place until you ask the credit bureau to temporarily lift it or remove it altogether. If the request is made online or by phone, a credit bureau must lift a freeze within one hour. If the request is made by mail, then the bureau must lift the freeze no later than three business days after getting your request.
If you opt for a temporary lift because you are applying for credit or a job, and you can find out which credit bureau the business will contact for your file, you can save some time by lifting the freeze only at that particular credit bureau. Otherwise, you need to make the request with all three credit bureaus.
Additional information for residents of the following states:
Connecticut: You may contact and obtain information from your state attorney general at: Connecticut Attorney General’s Office, 165 Capitol Ave, Hartford, CT 06106, 1-860-808-5318, www.ct.gov/ag
District of Columbia: You may contact and obtain information from your attorney general at: Office of the Attorney General for the District of Columbia, 441 4th Street NW, Washington, DC 20001, 1-202-727-3400, www.oag.dc.gov
Maryland: You may contact and obtain information from your state attorney general at: Maryland Attorney General’s Office, 200 St. Paul Place, Baltimore, MD 21202, 1-888-743-0023 / 1-410-576-6300, www.oag.state.md.us
Massachusetts: Under Massachusetts law, you have the right to file and obtain a copy of a police report. You also have the right to request a security freeze, as described above. You may contact and obtain information from your state attorney general at: Office of the Massachusetts Attorney General, One Ashburton Place, Boston, MA 02108, 1-617-727-8400, www.mass.gov/ago/contact-us.html
New York: You may contact and obtain information from these state agencies: New York Department of State Division of Consumer Protection, One Commerce Plaza, 99 Washington Ave., Albany, NY 12231-0001, 518-474-8583 / 1-800-697-1220, http://www.dos.ny.gov/consumerprotection; and New York State Office of the Attorney General, The Capitol, Albany, NY 12224-0341, 1-800-771-7755, https://ag.ny.gov
North Carolina: You may contact and obtain information from your state attorney general at: North Carolina Attorney General’s Office, 9001 Mail Service Centre, Raleigh, NC 27699, 1-919-716-6000 / 1-877-566-7226, www.ncdoj.gov
Rhode Island: Under Rhode Island law, you have the right to file and obtain a copy of a police report. You also have the right to request a security freeze, as described above. You may contact and obtain information from your state attorney general at: Rhode Island Attorney General’s Office, 150 South Main Street, Providence, RI 02903, 1-401-274-4400, www.riag.ri.gov
West Virginia: You have the right to ask that nationwide consumer reporting agencies place "fraud alerts" in your file to let potential creditors and others know that you may be a victim of identity theft, as described above. You also have a right to place a security freeze on your credit report, as described above.
A Summary of Your Rights Under the Fair Credit Reporting Act: The federal Fair Credit Reporting Act (FCRA) promotes the accuracy, fairness, and privacy of information in the files of consumer reporting agencies. There are many types of consumer reporting agencies, including credit bureaus and specialty agencies (such as agencies that sell information about check writing histories, medical records, and rental history records). Your major rights under the FCRA are summarized below. For more information, including information about additional rights, go to www.consumerfinance.gov/learnm... or write to: Consumer Financial Protection Bureau, 1700 G Street N.W., Washington, DC 20552.
- You must be told if information in your file has been used against you.
- You have the right to know what is in your file.
- You have the right to ask for a credit score.
- You have the right to dispute incomplete or inaccurate information.
- Consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information.
- Consumer reporting agencies may not report outdated negative information.
- Access to your file is limited.
- You must give your consent for reports to be provided to employers.
- You may limit “prescreened” offers of credit and insurance you get based on information in your credit report.
- You have a right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization.
- You may seek damages from violators.
- Identity theft victims and active duty military personnel have additional rights.