Notice to Our Patients of a Privacy Incident
UMass Memorial Health (“UMMH”) is committed to protecting the security and privacy of our patients’ information. Regrettably, this notice explains an incident that may have involved some of that information.
On December 31, 2021, we determined that an email incident could have resulted in unauthorized access to emails and attachments containing information pertaining to certain patients. Upon first identifying suspicious activity within the employees’ email accounts, we immediately took steps to secure the accounts and a computer forensic firm was engaged to assist with our investigation. On September 28, 2021, the investigation determined that a limited number of UMMH employees’ email accounts may have been accessed by an unauthorized person between June 6, 2021 and June 30, 2021. Further, the investigation could not rule out the possibility that the unauthorized person viewed emails or attachments in the accounts. However, at that time, it was not known specifically what information may have been contained in the accounts. Accordingly, out of an abundance of caution, we reviewed the contents of the email accounts to determine if they contained any patient information. This process, which has been ongoing and recently concluded, has been time and labor intensive, but we wanted to be certain about what information was involved and to whom it pertained.
As a result of that review, we identified emails and attachments in the accounts that contained patient information, which may have included some patients’ names, dates of birth, medical record or patient account numbers, and clinical information, such as provider names, dates of service, and/or diagnoses. In a small number of instances, patients’ health insurance information and/or Social Security numbers were also identified in the accounts.
This incident did not affect all UMMH patients, but only those patients whose information was contained in the affected email accounts. Additionally, based on the investigation, the likely purpose of the unauthorized access to the email account was to perpetrate an email phishing scheme or obtain financial information from UMMH, not to access personal information.
We have no indication that individuals’ information was actually viewed by the unauthorized individual, or that it has been misused. However, as a precaution, we mailed notification letters to those whose information was found in the affected accounts. We have also established a dedicated, toll-free call center to answer patients’ questions. If you have questions, please call (855) 541-3559, Monday through Friday, from 9:00 am to 6:30 pm Eastern Time. For those patients whose Social Security number were identified in the email accounts, we are offering complimentary credit monitoring and identity protection services. We also recommended that affected patients review any statements they receive from their health insurers and health care providers. If patients see charges for services not received, they should contact the insurer or provider immediately.
We regret any concern or inconvenience this incident may cause, and we remain committed to protecting the confidentiality and security of our patients’ information. To help prevent something like this from happening in the future, we have reinforced education with our staff regarding how to identify and avoid suspicious emails and are making additional security enhancements to our email environment, including enabling multifactor authentication.