Notice to Our Patients of a Privacy Incident
UMass Memorial Health (“UMass Memorial”) is committed to protecting the security and privacy of our patients’ and health plan participants’ information. Regrettably, this notice explains an incident that may have involved some of that information.
Our investigation to determine the nature and scope of the incident determined on January 27, 2021 that a limited number of UMass employees’ email accounts may have been accessed by an unauthorized person. At that time, it was not known specifically what information may have been contained in the accounts. After first identifying suspicious activity within the employees’ email accounts, we immediately took steps to secure the accounts and a computer forensic firm was engaged to assist with our investigation. The investigation determined that an unauthorized person accessed the accounts between June 24, 2020 and January 7, 2021.
The investigation was unable to determine whether the unauthorized person actually viewed any emails or attachments in the accounts. Out of an abundance of caution, we reviewed all of the emails and attachments contained in the email accounts to determine if they contained any patient or health plan participant information. This process has been time and labor intensive, but we wanted to be certain about what information was involved and to whom it pertained.
On August 25, 2021, we completed the process of identifying individuals with information contained in the accounts. For patients, the information involved included names, dates of birth, medical record numbers, health insurance information, and clinical or treatment information, such as dates of service, provider names, diagnoses, procedure information, and/or prescription information. For health plan participants, the information involved included names, subscriber ID numbers, and benefits election information. For some individuals, a Social Security number and/or driver’s license number was also involved.
This incident did not affect all UMass Memorial patients or health plan participants; but only those whose information was contained in the affected email accounts.
We have no indication that individuals’ information was actually viewed by the unauthorized individual, or that it has been misused. However, as a precaution, we mailed notification letters to those whose information was found in the affected accounts. We have also established a dedicated, toll-free call center to answer questions individuals may have. If you have questions, please call (855) 867-2673, Monday through Friday between 9 a.m. and 11 p.m. Eastern Time, or Saturday and Sunday between 11 a.m. and 8 p.m. Eastern Time. For those individuals whose Social Security number and/or driver’s license number was identified in the email accounts, we are offering complimentary credit monitoring and identity protection services. We also recommended that affected individuals review any statements they receive from their health insurers and health care providers. If you see charges for services not received, please contact the insurer or provider immediately.
We regret any concern or inconvenience this incident may cause, and we remain committed to protecting the confidentiality and security of our patients’ and health plan participants’ information. To help prevent something like this from happening in the future, we have reinforced education with our staff regarding how to identify and avoid suspicious emails and are making additional security enhancements to our email environment, including enabling multifactor authentication.