FHN is committed to protecting the confidentiality and security of our patients’ information. We have completed mailing letters to patients whose information was involved in a security incident reported earlier this year. This notice explains that incident and measures we have taken in response.
On April 30, 2020, our ongoing investigation into an email compromise incident determined that a limited number of FHN employees’ email accounts may have been accessed by an unauthorized person. At that time, it was not known specifically what information may have been contained in the accounts. After identifying suspicious activity within the employees’ email accounts, we immediately took steps to secure the accounts and a computer forensic firm was engaged to assist with our investigation. The investigation determined that an unauthorized person accessed the accounts between February 12, 2020 and February 13, 2020. The thorough investigation was unable to determine whether the unauthorized person actually viewed any emails or attachments in the accounts. Out of an abundance of caution, we reviewed the emails and attachments contained in the email accounts to identify patient information that may have been accessible to the unauthorized person. This process, which has been ongoing since April and recently concluded in September, has been time- and labor-intensive, but we wanted to be certain about what information was involved and to whom it pertained.
As a result of that review, we identified emails and/or attachments in the accounts that contained patient information, which may have included some patients’ names, dates of birth, medical record or patient account numbers, health insurance information, and limited treatment and/or clinical information, such as provider names, diagnoses, and medication information. In some instances, patients’ health insurance information and/or Social Security numbers have also been identified in the accounts.
This incident did not affect all FHN patients, but only those patients whose information was contained in the affected email accounts.
FHN has no indication that individuals’ information was actually viewed by the unauthorized individual, or that it has been misused. However, as a precaution, between July 31, 2020 and October 7, 2020, we mailed notification letters to those whose information was found in the affected accounts. We also established a dedicated, toll-free call center to answer patients’ questions. If you have questions, please call 1-888-800-3306, Monday through Friday, from 8:00 a.m. to 5:00 p.m. Central Time. For those patients whose Social Security numbers and/or drivers’ license numbers are identified in the email accounts, we offered complimentary credit monitoring and identity protection services. We also recommended that affected patients review any statements they receive from their health insurers and health care providers. If patients see charges for services not received, they should contact the insurer or provider immediately.
We regret any concern or inconvenience this incident may cause and we remain committed to protecting the confidentiality and security of our patients’ information. To help prevent something like this from happening in the future, we have reinforced education with our staff regarding how to identify and avoid suspicious emails and are making additional security enhancements to our email environment, including enabling multi-factor authentication and revising our email retention policies.