Notice: Data Security Event

November 25, 2020 – University of Minnesota Physicians (“UMPhysicians”) is issuing notice of a data security event that potentially affected the confidentiality of personal information of certain patients. 

What Happened. UMPhysicians recently completed a thorough investigation and comprehensive data review of a data security event in which cyber attackers used phishing emails to fraudulently access two employee email accounts. The two phishing email attacks were identified on January 31, 2020 and February 4, 2020, shortly after they occurred. UMPhysicians took immediate steps to secure the email accounts and began working with third-party computer forensic investigators to determine the nature and scope of the incidents. The investigation indicated that an unknown actor had access to one employee email account on January 30 and January 31, 2020, and another employee email account on February 4, 2020, for a brief period of time.

Unfortunately, the investigation was unable to determine with certainty to what extent any emails within the two accounts may have been viewed by the cyber attackers. Based on this, in an abundance of caution, we retained third-party specialists to perform a comprehensive review of all information stored in the email accounts at the time of the incidents to identify any personal information present in the accounts. The employee email accounts contained information about individuals because the email accounts were used to perform normal business operations related to health care services provided by UMPhysicians. On March 30, 2020, UMPhysicians began notifying individuals with information present in the accounts while its review was ongoing. Upon completion of the third-party specialists’ review of the full contents of the email accounts, which was a detailed and lengthy process that involved multiple steps to identify the relevant data, we immediately began assessing the results to confirm the identities of potentially affected individuals and obtain their current mailing addresses or other contact information. We recently completed this comprehensive review process.

What Information was Affected. The review determined that one or more of the following types of information associated with an individual were present in an affected email account during the incident:  name, address, date of birth, date of death, date of service, telephone number, medical record number, account number, payment card number, health insurance information, and medical information. For a small number of individuals, it may also include Social Security number. We have no evidence indicating that this information was actually viewed during the incident or has been copied or otherwise misused. However, the perpetrators did have access to the two email accounts for a limited period of time so it is possible they may have seen some information. 

What We Are Doing. UMPhysicians takes this incident and the security of the information in its care very seriously. We quickly identified the attacks and took steps to secure the affected email accounts. At the time of the attacks, UMPhysicians had multiple email security controls in place, including multi-factor authentication. We also require all employees to participate in privacy and security training, and we regularly conduct exercises to try to make sure personnel do not fall prey to phishing and related scams. As part of our ongoing commitment to the privacy and security of personal information in our care, we reviewed our policies and procedures and implemented additional safeguards to further control and secure the information in our email system. For example, we conducted refresher training for personnel related to best practices in identifying phishing attempts, and we implemented restrictions on email retention. We also purchased additional technology that will provide for more enhanced detection and prevention of phishing emails. In addition, we notified state and federal regulators where we are required to do so.

What Affected Individuals Can Do. While we are unaware of any misuse of any personal information contained within the impacted email accounts, individuals are encouraged to remain vigilant against incidents of identity theft by reviewing account statements and explanations of benefits for unusual activity and reporting any suspicious activity immediately to their insurance company, health care provider, or financial institution. In addition, we are offering affected individuals access to complimentary identity and credit monitoring services for 12 months through Kroll. Additional detail can be found below, in the Steps You Can Take to Protect Your Personal Information.

For More Information. Individuals seeking additional information regarding this event can call our toll-free assistance line at (833) 960-3571, Monday through Friday (excluding U.S. holidays), during the hours of 8:00 a.m. to 5:30 p.m., Central Time. You may also write to University of Minnesota Physicians at 720 Washington Avenue SE #200, Minneapolis, MN 55414.

Steps You Can Take To Protect Your Personal Information 

While we are unaware of any misuse of the personal information in the impacted email account, we encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports for suspicious activity. Under U.S. law you are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report.

If you wish to enroll with the Kroll credit monitoring and identity restoration services, please contact our dedicated assistance line to verify that your information was contained within the two email accounts.  After confirmation that you were included, Kroll will assist in enrolling you in the credit monitoring service.

You have the right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent.  However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit.  Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report.  Should you wish to place a security freeze, please contact the major consumer reporting agencies listed below:

 

Experian

P.O. Box 9554

Allen, TX 75013

1-888-397-3742

www.experian.com/freeze/center.html

TransUnion

P.O. Box 160

Woodlyn, PA 19094

1-888-909-8872

www.transunion.com/credit-freeze

Equifax

P.O. Box 105788

Atlanta, GA 30348

1-800-685-1111

www.equifax.com/personal/credit-report-services

In order to request a security freeze, you will need to provide the following information:

  1. Your full name (including middle initial as well as Jr., Sr., II, III, etc.);
  2. Social Security number;
  3. Date of birth;
  4. If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years;
  5. Proof of current address, such as a current utility bill or telephone bill;
  6. A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.); 
  7. If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft.

As an alternative to a security freeze, you have the right to place an initial or extended “fraud alert” on your file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit.  If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years.  Should you wish to place a fraud alert, please contact any one of the agencies listed below:

Experian

P.O. Box 9554

Allen, TX 75013

1-888-397-3742

www.experian.com/fraud/center.html

TransUnion

P.O. Box 2000

Chester, PA 19016

1-800-680-7289

www.transunion.com/fraud-victim-resource/place-fraud-alert

Equifax

P.O. Box 105069

Atlanta, GA 30348

1-888-766-0008

www.equifax.com/personal/credit-report-service

 

You can further educate yourself regarding identity theft, fraud alerts, security freezes, and the steps you can take to protect yourself, by contacting the consumer reporting agencies, the Federal Trade Commission, or your state Attorney General. 

The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above. You have the right to file a police report if you ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim.