MaineGeneral Medical Center Provides Notice of Data Security Incident

Jan 15, 2016, 12:44 ET from MaineGeneral Medical Center

AUGUSTA, Maine, Jan. 15, 2016 /PRNewswire/ -- MaineGeneral Medical Center ("MaineGeneral") today supplemented its December 8, 2015 announcement regarding the cyber attack on its computer network.  Since that time, in the continuing investigation of this incident, MaineGeneral has determined additional protected health information impacting some individuals may have been accessed by the attacker. 

Letters to those impacted are being sent today, explaining the stage of the investigation, and ways individuals can protect themselves – including access to free credit monitoring and identity restoration services MaineGeneral is offering to those receiving letters of notification.

On November 13, 2015, MaineGeneral was notified by the Federal Bureau of Investigation (FBI) of the detection of certain data, believed to belong to MaineGeneral, on an external website not hosted by MaineGeneral and not accessible by the general public. Upon being contacted by the FBI, MaineGeneral launched an internal investigation by its IT team and, on November 18, 2015, MaineGeneral validated the data supplied by the FBI as MaineGeneral data.  MaineGeneral hired a highly respected cyber security forensics firm to supplement the internal investigation by its IT team.  MaineGeneral continues to cooperate with the FBI.

Information Compromised

While the FBI's investigation continues, MaineGeneral's investigation is nearing completion and the forensic team has determined that certain protected health information on its network was or may have been subject to unauthorized access on or about September 11 and 12, 2015, including: 

  • The following information relating to patients referred for radiology services since June of 2009: name, address, date of birth, demographic information, medical information including name of referring physician and allergy information, Social Security number, medical insurance information, medical record number, emergency contact information, guarantor information, and employer information.
  • The names, Social Security numbers, addresses, phone numbers, attending physician name, account number and age of certain patients in a patient advocacy file.
  • The names, Social Security numbers, dates of birth, addresses, medical record numbers, treatment information, and health history information of certain patients in a patient diagnostic registry file.
  • The names and addresses of certain patients, on a mailing list file related to a physician departure in October 2010.
  • The names, addresses, dates of birth, Social Security numbers, and medical identification numbers of certain patients in a monitoring system file.
  • The name, address, procedure date, procedure description, diagnosis and treatment choice of a patient in a letter to the patient.
  • The names, addresses and telephone numbers of certain employees.
  • The names, addresses and telephone numbers of certain prospective donors.

However, the information detected by the FBI on the external website was limited to the date of birth and emergency contact name, address, and telephone number for certain patients referred to MaineGeneral Medical Center for radiology services since June 2009, the names, addresses, and telephone numbers of certain employees, and the names, addresses, and telephone numbers of certain prospective donors.  The data detected by the FBI on the external website does not contain Social Security numbers, patient names, patient medical or health insurance information, health records, driver's license numbers, or credit/financial account information. 

Notification and Identity Protection Services

Today, MaineGeneral began mailing letters to the last known mailing address of patients whose protected health information was or may have been accessed. MaineGeneral is offering those individuals impacted by this incident access to one year of free credit monitoring and identity restoration services with Experian. The written notice sent to affected patients includes instructions on how to enroll and receive access to these services.

To Learn More

MaineGeneral has established a dedicated assistance line for anyone seeking additional information regarding this incident, as well as steps to better protect against identity theft. This assistance line can be reached at 1-877-216-8137, Monday – Friday, 9 a.m.7 p.m. ET.  Please provide the following reference number when calling: 6362010416.   

Fraud Prevention Tips

MaineGeneral encourages everyone to remain vigilant against identity theft by:

  • Reviewing account statements, medical bills, and health insurance statements regularly for suspicious activity, to ensure that no one has submitted fraudulent medical claims using your name and address. Report all suspicious or fraudulent charges to your account and insurance providers. If you do not receive regular Explanation of Benefits statements, you can contact your health plan and request them to send such statements after receiving health care services.
  • Contacting the IRS at: www.irs.gov to request a PIN to file your taxes, so that no one can use your information to submit a fraudulent tax return. The IRS will begin offering PINs in mid-January 2016.
  • Ordering and monitoring your credit reports for suspicious activity. Under U.S. law, everyone is entitled to one free credit report annually from each of the three major credit bureaus. To order a free credit report, visit http://www.annualcreditreport.com/ or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report:

Equifax

Experian

TransUnion

P.O. Box 105069

P.O. Box 2002

P.O. Box 2000

Atlanta, GA 30348

Allen, TX 75013

Chester, PA 19022

800-525-6285

888-397-3742

800-680-7289

www.equifax.com

www.experian.com

www.transunion.com




  • Placing a "fraud alert" on your credit file. A "fraud alert" will tell creditors to follow certain procedures to verify your identity prior to granting credit in your name. These additional steps also may delay your ability to obtain credit while the credit bureaus verify your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your files. You may use the contact information listed above to contact the major credit bureaus and place a "fraud alert" on your credit report.
  • Placing a "security freeze" on your credit file. This prohibits a credit reporting agency from releasing any information from your credit report without your written authorization but may delay, interfere with or prevent the timely approval of any requests for new credit. If you have been a victim of identity theft and provide the credit reporting agency with a valid police report, the credit reporting agency cannot charge to place, lift or remove a security freeze. In all other cases, a credit agency may charge you a fee to place, temporarily lift, or permanently remove a security freeze. Maine residents cannot be charged to place, lift or remove a security freeze. You must contact each of the credit reporting agencies separately to place a security freeze on your credit file:

Equifax Security Freeze        

Experian Security Freeze      

  TransUnion LLC

P.O. Box 105788                 

P.O. Box 9554                

  P.O. Box 2000

Atlanta, GA 30348      

Allen, TX 75013             

  Chester, PA 19022-2000

800-685-1111                       

888-397-3742           

  888-909-8872

800-349-9960 (NY Residents)



www.freeze.equifax.com           

 www.experian.com            

  freeze.transunion.com  




  • Educating yourself further on identity theft, fraud alerts and the steps one can take to protect against identity theft and fraud by contacting the Federal Trade Commission or your state Attorney General. The Maine Attorney General can be reached at:  6 State House Station, Augusta, ME, 04333, (207) 626-8800. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580, www.ftc.gov/idtheft/, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261. Further information on how to file such a complaint can be gained by contacting any of the reporting credit agencies listed above.
  • Reporting suspicious activity or incidents of identity theft and fraud to local law enforcement. 

SOURCE MaineGeneral Medical Center