Featured Physician Featured Physician
In the News In the News
Hospitals, Facilities and Services Hospitals, Facilities and Services
Health Information Health Information
Calendar of Events Calendar of Events
Medical Education Medical Education
Research & Clinical Trials Research & Clinical Trials
FAQ--Unauthorized Data Breach FAQ--Unauthorized Data Breach
About Us About Us



Contact Us
Site Map
Privacy Policy

       
Find a Doctor Patients and Visitors Find a Job For Our Physicians For Our Employees Ways of Giving



FAQ--Unauthorized Data Breach

 
Frequently Asked Questions

Saint Vincents Catholic Medical Centers of New York ("Saint Vincents," "SVCMC," "we" or "us") has prepared this Frequently Asked Questions as a means to provide information regarding a recent security incident involving insurance-related information of current and former patients. While we hope this will answer questions you may have, you may also contact Saint Vincent's information hotline at 1-866-675-3853 for additional information.  The hours of operation for the information hotline are Monday - Friday, 9:00 a.m. - 8:00 p.m., EST.

  1. What happened?
    On June 1, 2007, SVCMC learned that an employee transmitted copies of certain SVCMC databases containing insurance-related information to his home computer in February, 2007.  There is the possibility that this employee may also have disseminated the databases to an individual not currently employed by or associated with SVCMC.  The employee in question had authorization to access the databases as part of his job responsibilities; however, he was not authorized to transmit the databases outside the control of the hospital.

    At this time, we have no knowledge of any misuse of this information beyond its unauthorized transmission.
  2. What happened that led to the discovery of the data breach?
    Supervisors at SVCMC learned that the employee in question may have transmitted the databases outside the control of the hospital.  We promptly investigated the situation and made the determination that this had in fact happened.
  3. Why did it take so long to discover the breach?
    In this case, we had no reason to think that the employee had transmitted the databases outside the control of the hospital, and we acted promptly when we did learn of this possibility.
  4. What did Saint Vincents do in response to the incident?
    Upon the discovery of this security breach, SVCMC promptly reported it to the proper law enforcement authorities, which in turn began an investigation.  To avoid any possible interference with its investigation, the Manhattan District Attorney's office requested that SVCMC refrain from notifying individuals whose information may have been involved. 

    Independently, we engaged outside computer forensic experts to help us determine what information was contained in the databases and the exact nature and scope of the improper transmission of information outside the control of SVCMC.
  5. What did the forensic investigation find?
    Although the forensics analysis is ongoing, we have found that certain mishandled databases contained insurance-related information concerning current and former patients, including, for example, name, date of birth, SVCMC account number, insurance carrier information, insurance claim information and insurance policy numbers.  We do not believe that any medical information (such as diagnosis, treatment or medications) was included in these databases. Similarly, we do not believe that the databases contained any credit card or bank account numbers.

    However, because insurance carriers sometimes use all or part of a Social Security number as part of their system to identify individuals, some insurance policy numbers in the databases may have contained all or part of a patient's (or a family member's) Social Security number.  In those cases, we indicated so in our letter to the patient.

    Together with our outside security experts, we will continue to investigate this matter thoroughly.
  6. Have any SVCMC patients reported that their personal information has been misused as a result of this incident?
    At this time, we have no knowledge of any misuse of this information beyond its unauthorized transmission.
  7. When did the employee mishandle the databases?
    We believe that the employee transmitted the databases to his home computer in February, 2007. We learned of this on June 1, 2007 and upon the discovery of this security breach, we promptly reported it to the proper law enforcement authorities, which in turn began an investigation.  To avoid any possible interference with its investigation, the Manhattan District Attorney's office requested that SVCMC refrain from notifying individuals whose information may have been involved.
  8. What has happened between June 1st and now?
    Upon our discovery of this security breach, SVCMC promptly reported it to the proper law enforcement authorities, which in turn began an investigation.  To avoid any possible interference with its investigation, the Manhattan District Attorney's office requested that SVCMC refrain from notifying individuals whose information may have been involved.

    Independently, we engaged outside computer forensic experts to help us determine what information was contained in the databases and the exact nature and scope of the improper transmission of information outside the control of SVCMC.  Together with our outside security experts, we will continue to investigate this matter thoroughly.
  9. Has Saint Vincents hired outside consultants to help correct this situation?
    Yes.  We engaged outside computer forensic experts to help us determine what information was contained in the databases and the exact nature and scope of the improper transmission of information outside the control of SVCMC.
  10. Why has it taken so long to contact the potentially affected patients?
    To avoid any possible interference with its investigation, the Manhattan District Attorney's office requested that SVCMC refrain from notifying individuals whose information may have been involved.
  11. Was the employee who mishandled the databases reprimanded?  How so?
    Upon our discovery of the incident, we promptly suspended the employee in question and immediately identified this employee to the proper law enforcement authorities.  Once we determined further details about the incident, we terminated the employee's employment.
  12. Is your internal review of this matter complete?  If not, when do you expect it to be completed?
    The forensics analysis is ongoing and, together with our outside security experts, we will continue to investigate this matter thoroughly. We will be sharing our own findings with law enforcement authorities.

  13. What did law enforcement conclude about the incident?
    We are not privy to what their investigation is showing. 
  14. What information may have been included in the databases?
    We have found that certain mishandled databases contained insurance-related information concerning current and former patients, including, for example, name, date of birth, SVCMC account number, insurance carrier information, insurance claim information and insurance policy numbers.  We do not believe that any medical information (such as diagnosis, treatment or medications) was included in these databases. Similarly, we do not believe that the databases contained any credit card or bank account numbers.

    However, because insurance carriers sometimes use all or part of a Social Security number as part of their system to identify individuals, some insurance policy numbers in the databases may have contained all or part of a patient's (or a family member's) Social Security number.  In those cases, we indicated so in our letter to the patient.
  15. Which individuals is Saint Vincents notifying about this incident?
    We are notifying all individuals whose insurance policy number we believe to have been included in the mishandled databases.
  16. In what office/department did the breach occur?
    The employee worked in the patient billing department of SVCMC.
  17. What is Saint Vincents doing to prevent this from occurring again?
    We have reviewed the security settings on our computers to prevent the use of unauthorized programs, and installed new, more effective tools to detect any unauthorized software installed on SVCMC workstations.  We are also updating the roles of key IT security personnel and developing additional strategies to promote a secure data environment at SVCMC.
  18. Which patients were potentially affected by this security incident?
    If you received a letter from us, then we believe that your insurance policy number was included in the compromised databases.  If you did not receive a letter from us, then we do not believe that your insurance policy number was contained in the compromised databases.
  19. Why have I not received a notification letter from Saint Vincents?
    If you did not receive a notice letter from SVCMC, we believe that your insurance policy number was not included in the compromised databases.

  20. Should I contact my health insurer?
    SVCMC has notified your insurance carrier directly about this situation.  Your carrier may elect to take measures to prevent unauthorized individuals from filing claims under your policy.  We also recommend that you contact your insurer to inquire about any recent claims that have been made using your policy number.
  21. Should I ask my insurer for a new policy number?
    If your insurance policy number is the same as your Social Security number, consider asking your insurer to issue you a new policy number.  However, your insurer may or may not be able to fulfill your request.  Even if your policy number is not your Social Security number, your carrier may issue you a new number under certain circumstances.
  22. If my insurance company gave me a new policy number, is there anything else that I should do?
    If your (or a family member's) Social Security number was included in the compromised databases, SVCMC is offering to assume the cost for one year of credit monitoring.  We have arranged for ConsumerInfo.com, Inc., an Experian company, to provide you with this membership at no cost to you.  Experian's credit monitoring product is designed to identify and notify you of key changes in your credit reports that may indicate fraudulent activity.  Detailed information about the credit monitoring membership is available at http://partner.consumerinfo.com/svcmc.

    As an added precaution you may want to track your personal credit information that will show if there has been unusual, unauthorized activity that would affect your credit rating.  Under the Fair Credit Reporting Act, each of the three national credit bureaus will provide a free credit report to US citizens once a year.  You may also consider a fraud alert or a credit freeze.  (See below.)
  23. What if my insurance policy number is the same as my Social Security number?
    If your (or a family member's) Social Security number was included in the compromised databases, SVCMC is offering to assume the cost for one year of credit monitoring.  We have arranged for ConsumerInfo.com, Inc., an Experian company, to provide you with this membership at no cost to you.  Experian's credit monitoring product is designed to identify and notify you of key changes in your credit reports that may indicate fraudulent activity.  Detailed information about the credit monitoring membership is available at http://partner.consumerinfo.com/svcmc.
  24. How do I know if my insurance policy number that was compromised is the same as my Social Security number?
    If we determined that your insurance carrier used all or part of your (or a family member's) Social Security number as part of its system to identify you, then the letter that you received from us indicated this.
  25. How do I activate the credit monitoring membership provided by Saint Vincents?
    If you are eligible, you have until January 25, 2008, to activate your credit monitoring membership.  To activate your membership, visit http://partner.consumerinfo.com/svcmc and enter the access code provided on the top of the letter you received from us.  This web site will provide further instructions for registration.  If you are unable to register or receive notifications online, you can instead use this access code to register for the offline version of Experian's credit monitoring service, by calling 1-888-898-0087.
  26. Why is identify theft insurance not being offered as part of my credit monitoring service?
    Due to New York state law restrictions, identity theft insurance coverage cannot, by law, be offered by Experian to residents of New York.  If you are a resident of New York state, please be aware that Experian's credit monitoring products will not include identity theft insurance, but will otherwise provide the services as described by Experian.
  27. What else should I do now?
    As an added precaution you may want to track your personal credit information that will show if there has been unusual, unauthorized activity that would affect your credit rating.  Under the Fair Credit Reporting Act, each of the three national credit bureaus will provide a free credit report to US citizens once a year.
  28. How do I contact the three national credit bureaus?
    To order free credit reports from each of the three national credit bureaus, you can call the numbers below, or you can visit their websites for further contact information:
    1. TransUnion: 1-877-322-8228 (www.transunion.com)
    2. Experian: 1-888-397-3742 (www.experian.com)
    3. Equifax: 1-800-685-1111 (www.equifax.com)
  29. What do I look for on my credit reports?
    When you receive your credit reports, review them carefully.  If you find any items that you do not understand on your report or any suspicious information or activity, call the credit bureau at the number provided on the report.  A credit bureau staff member will review the report with you. 
  30. What do I do if my credit accounts have been tampered with or if new accounts have been opened fraudulently?If you observe suspicious activity in your accounts, contact your creditors immediately by taking the following actions, as appropriate:
    1. Speak with someone in the security or fraud department of your credit card issuer, and follow up on that conversation in writing.
    2. If you discover a changed billing address on an existing credit card account, close the account and notify the fraud or security department of the card issuer.
    3. When you open a new account, ask that a password be required before any inquiries or changes can be made on the account.
  31. What if I have additional questions regarding my credit report?
    You should contact one of the three credit bureaus listed above and a representative will be able to provide you with all the information necessary.  If you have enrolled for Experian's credit monitoring product, as part of your membership, Experian will help you with your questions.

  32. What is a fraud alert?
    Individuals whose Social Security number may have been involved in this incident may want to consider requesting a fraud alert on their credit bureau records.  A fraud alert is a message that credit issuers receive when someone applies for new credit in your name.  The message tells creditors that there is a possible fraud associated with the account and gives them a phone number to call (yours) before issuing new credit.  To place a fraud alert, you can call the fraud department at any one of the three major credit bureaus.

  33. Do I have to call all three credit bureaus to place a fraud alert on my file?
    No.  You only need to call one of the credit bureaus - they will notify the other two.  An alert will be placed on your file with all three bureaus and you will receive a confirming letter from all three.

  34. What is a "credit freeze"?
    In some states, you have the right to put a "credit freeze" on your credit file, so that credit issuers cannot obtain a copy of your credit report without the use of a PIN number that is issued to you when you initiate your credit freeze.  Since the instructions for how to establish a credit freeze differ from state to state, please contact the three major credit bureaus to find out more information.

  35. Should I contact the Social Security Administration and change my Social Security number?
    The Social Security Administration rarely changes a person's Social Security number.  For more information, the Social Security Administration website is available at: www.ssa.gov.

  36. Should I close my bank account?
    We do not believe that the databases contained any credit card or bank account numbers.

  37. Should I close my credit card or other financial accounts?
    We do not believe that the databases contained any credit card or bank account numbers.

  38. Will Saint Vincents contact me to ask for private information because of this event?
    No.  As a precaution, SVCMC will never ask you to provide any sensitive personal information, such as your Social Security number, except when you have placed a call to us, or through written requests mailed to your home or billing address.  If you do happen to receive a telephone or e-mail contact with such a request, it is not from SVCMC and you should not provide any such information.

  39. Can I call someone with my questions about this incident?
    Yes. You can call our information hotline at 1-866-675-3853.  The hours of operation for the information hotline are Monday - Friday, 9:00 a.m. - 8:00 p.m., EST.

  40. If I call the information hotline on behalf of someone who received a notification letter (e.g., I am a parent, caregiver, child of elderly parent, etc.), can you answer my questions?
    Through our information hotline, we can answer your general questions.  However, if you have specific questions about your charge, we may have to ask for the code number that appears on the letter we sent, or to escalate your call to a specialist at SVCMC.


Cardiology Cancer Care Orthopaedic Surgery Emergency Medicine Behavioral Health Home Care, Skilled Nursing Facilities and Hospice