Notice of Data Privacy Incident

Updated July 1, 2024

On November 28, 2023, we posted notice on this site that Capital Health experienced network outages due to a cybersecurity incident. Our investigation of that incident is ongoing. However, we are updating our earlier notice to provide more information about the incident.

What happened?

Our investigation determined that an unauthorized actor gained access to certain of our systems from November 11 - 26, 2023. Importantly, we continued caring for patients throughout our response to the incident and all our hospitals and clinics are operating normally.

On or about December 1, the forensic investigation determined that the unauthorized third party acquired and/or accessed certain files on the organization’s network. At this point, we have found no evidence that personal information or protected health information has been misused because of the Incident.

What are we doing?

Upon learning of the Incident, we immediately launched an investigation with the assistance of a leading outside forensic security firm to determine the nature and scope of the activity and confirm the security of our computer systems and network. We also reported the Incident to law enforcement, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).

Since then, we have been conducting a detailed review of the affected files to determine whether personal information or protected health information was present and to whom the information relates. This process has been time-intensive and continues, but ultimately is necessary to properly identify potentially affected individuals to the extent reasonably possible. At this point, we have begun to identify individuals whose personal information we reasonably believe to have been involved in the Incident and are providing written notice at the mailing address we have on file in accordance with applicable laws.

Out of an abundance of caution, and in accordance with applicable law, we are providing this notice so individuals can take steps to minimize the risk that their information will be misused. We have included a brief description of steps you can take to protect your identity, credit, and personal information.

As an added precaution, we are also offering complimentary access to identity monitoring, fraud consultation, and identity theft restoration services to help mitigate any potential for harm at no cost to you. Please see below for more information on enrollment in these services.

Capital Health endeavors to protect the privacy and security of personal information and protected health information. We have worked diligently to determine how this incident happened and are taking appropriate measures to prevent a similar situation in the future. Since the incident we have implemented a series of cybersecurity enhancements, including installation of additional endpoint detection and response software, and resetting all passwords.

What information was involved?

Based on our investigation to date, and consistent with other cyber breach incidents which have impacted not only healthcare but other industries as well, we believe there is a possibility that the following types of information may have been involved in the incident: names, addresses, social security numbers, dates of birth, email addresses, telephone numbers and potentially clinical information.

What can you do?

As with any data incident, we recommend that you remain vigilant and consider taking steps to avoid identity theft, obtain additional information, and protect your personal information. Common passwords or passwords you may be using on multiple accounts should be updated to new complex passwords for added security. More steps are described below.

As noted above, we are offering complimentary access to identity monitoring, fraud consultation, and identity theft restoration services to help mitigate any potential for harm. We encourage potentially affected individuals to contact IDX with any questions and to enroll in identity protection services at no cost by calling 888-906-4476. IDX representatives are available Monday through Friday from 9 am-to-9 pm Eastern Time.

We sincerely apologize for this situation and any inconvenience it may cause you.

Recommended steps to help you protect your information:

We recommend you remain vigilant and consider taking the following steps to avoid identity theft, obtain additional information, and protect your personal information:

Obtain Your Credit Report. Order your free credit report at www.annualcreditreport.com, call toll-free at 877-322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s website at www.ftc.gov. When you receive your credit report, review the entire report carefully. Look for any inaccuracies and/or accounts you don’t recognize and notify the credit bureaus as soon as possible in the event there are any. You have rights under the federal Fair Credit Reporting Act (“FCRA”). These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information.

Place a Fraud Alert on Your Credit File. A fraud alert helps protect you against an identity thief opening new credit in your name. With this alert, when a merchant checks your credit history when you apply for credit, the merchant will receive a notice that you may be a victim of identity theft and to take steps to verify your identity. You also have the right to place a “security freeze” on your credit file. A security freeze generally will prevent creditors from accessing your credit file at the three nationwide credit bureaus without your consent. You can place a fraud alert or request a security freeze by contacting the credit bureaus. The credit bureaus may require that you provide proper identification prior to honoring your request.

Equifax
P.O. Box 740241
Atlanta, GA 30374
1-800-685-1111
www.equifax.com

Experian
P.O. Box 9532
Allen, TX 75013
1-888-397-3742
www.experian.com

TransUnion
P.O. Box 2000
Chester, PA 19016
1-800-916-8800
www.transunion.com

Remove your name from mailing lists of pre-approved offers of credit for approximately six months. If you aren’t already doing so, please pay close attention to all bills and credit-card charges you receive for items you did not contract for or purchase. This includes explanation of benefits and health insurance policy statements. Review all your bank account statements frequently for checks, purchases or deductions not made by you. Note that even if you do not find suspicious activity initially, you should continue to check this information periodically since identity thieves sometimes hold on to stolen personal information before using it.

The Federal Trade Commission (“FTC”) offers consumer assistance and educational materials relating to identity theft, privacy issues, and how to avoid identity theft. You may also obtain information about fraud alerts and security freezes from the consumer reporting agencies, your state Attorney General, and the FTC. If you detect any incident of identity theft or fraud, promptly report the incident to your local law enforcement authorities, your state Attorney General, and/or the Federal Trade Commission (“FTC”). You can learn more about how to protect yourself from becoming an identity theft victim (including how to place a fraud alert or security freeze) by contacting the FTC at 1-877-IDTHEFT (1-877-438-4338), or www.ftc.gov/idtheft. The mailing address for the FTC is: Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW Washington, DC 20580. You have the right to obtain a copy of the applicable police report, if any, relating to this incident.

For District of Columbia Residents: You can obtain additional information about steps to take to avoid identity theft from the Office of the Attorney General for the District of Columbia, 441 4th Street, NW, Washington, DC 200001, 202-727-3400, www.oag.dc.gov.

For Maryland Residents: You can obtain information about steps you can take to help prevent identity theft from the Maryland Attorney General at: 200 St. Paul Place, Baltimore, MD 21202, 888-743-0023, www.marylandattorneygeneral.gov.

For New Mexico Residents: You have rights under the federal Fair Credit Reporting Act (FCRA). These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act or www.ftc.gov. In addition, New Mexico consumers may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act. For more information about New Mexico consumers obtaining a security freeze, go to http://consumersunion.org/pdf/security/securityNM.pdf.

For New York Residents: You may also contact the following state agencies for information regarding security breach response and identity theft prevention and protection information: 1) New York Attorney General, (212) 416-8433 or https://ag.ny.gov; or 2) NYS Department of State’s Division of Consumer Protection, (800) 697-1220 or https://dos.ny.gov/consumer-protection.

For North Carolina Residents: You can obtain information about steps you can take to help prevent identity theft from the North Carolina Attorney General at: 9001 Mail Service Center, Raleigh, NC 27699, 1-877-566-7226, www.ncdoj.gov.

For Rhode Island Residents: You may contact and obtain information from and/or report identity theft to your state attorney general at:

Rhode Island Attorney General’s Office
150 South Main Street
Providence, RI 02903
Phone: (401) 274-4400
Website: www.riag.ri.gov