Message From the ceo
to Employees

Notice of Security Incident

Barlow Respiratory Hospital (“Barlow”) values its patients and the privacy of their information, which is why, as a precautionary measure, we are letting patients know about a recent security incident involving one of our vendors that may affect some of their personal information.

Healthcare Resource Group, Inc. (“HRG”) provides billing services to Barlow and had access to some of our patients’ information in connection with assisting Barlow with its referral process. Although HRG has no evidence of actual misuse of any of this information, we are notifying patients out of an abundance of caution and providing them with steps they may take to help further protect their personal information.

On December 31, 2019, as part of an investigation into an unrelated event, HRG determined that an employee’s email account was subject to unauthorized access between November 4, 2019 and November 30, 2019. HRG was unable to determine what, if any, emails and attachments within the account were subject to unauthorized access. HRG was only able to confirm that the email account was subject to unauthorized access. HRG then enlisted the services of a third-party firm to review the contents of the email account in order to determine whether it contained any sensitive information. While the forensic investigation was ongoing, HRG initially notified Barlow of the event on February 6, 2020 and, at that time, stated it could not confirm whether any sensitive information was contained in the email account in question. HRG continued to conduct its forensic investigation and a time-intensive review of the email contents, which concluded on February 27, 2020. On March 11, 2020, HRG affirmatively notified Barlow about the findings from the forensic investigation.

After a thorough and exhaustive review process, HRG’s investigation determined that the impacted email account contained one or more of the following types of information: name, date of birth, medical record number, patient account number, Medicare or Medicaid ID number, health insurance information, diagnostic information, treatment information, medical billing or claims information, information related medication or prescriptions and, for certain individuals, Social Security number. At this time, however, HRG has no evidence of actual misuse of any of this personal information.

Upon learning of this incident, HRG immediately took steps to secure the email account and launched an in-depth investigation to determine the nature and scope of the incident. Law enforcement has also been notified. As part of HRG’s ongoing commitment to the privacy of personal information in its care, HRG is currently evaluating and updating, as appropriate, its privacy policies and procedures. In addition, HRG has enhanced security awareness training among its workforce and implemented various additional technical safeguards to further secure the information in its systems.

We recommend that you remain vigilant for incidents of fraud and identity theft by regularly reviewing your account statements and monitoring credit reports for any unauthorized activity. If you discover any suspicious or unusual activity on your accounts, you should promptly notify the financial institution or company with which your account is maintained. To help relieve concerns and restore confidence following this incident, HRG has arranged to offer potentially affected individuals, at no cost to them, identity monitoring and identity theft consultation and restoration services through Kroll for 12 months.

For further information and assistance, including instructions on how to enroll in the identity monitoring and identity theft consultation and restoration services provided by Kroll, please call HRG’s toll-free dedicated assistance line at 1-888-921-0533, Monday through Friday, from 8:00 a.m. to 5:30 p.m. Central Time.

ADDITIONAL RESOURCES

Contact information for the three nationwide credit reporting agencies:

Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111

Experian, PO Box 2104, Allen, TX 75013, www.experian.com, 1-888-397-3742

TransUnion, PO Box 2000, Chester, PA 19022, www.transunion.com, 1-800-888-4213

Free Credit Report. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the 3 nationwide credit reporting agencies. To order your free credit report, visit www.annualcreditreport.com or call toll-free 1-877-322-8228. You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available from the U.S. Federal Trade Commission’s website at www.consumer.ftc.gov) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.

Fraud Alert. You also have the right to place an initial or extended “fraud alert” on your file at no cost by contacting any of the three nationwide credit reporting agencies identified above. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert displayed on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit. If you are a victim of identity theft and have filed an identity theft report with law enforcement, you may want to consider placing an extended fraud alert, which lasts for 7 years, on your credit file.

Security Freeze. You have the right to place a “security freeze” on your credit report, free of charge.A security freeze is intended to prevent credit, loans and services from being approved in your name without your consent. To place a security freeze on your credit report, you may be able to use an online process, an automated telephone line, or a written request to any of the three credit reporting agencies listed above. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft.

The credit reporting agencies have 1 business day after receiving your request by toll-free telephone or secure electronic means, or up to 3 business days after receiving your request by mail, to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within 5 business days and provide you with a unique personal identification number (PIN) or password (or both) that can be used by you to authorize the removal or lifting of the security freeze. It is important to maintain this PIN/password in a secure place, as you will need it to lift or remove the security freeze.

To lift the security freeze in order to allow a specific entity or individual access to your credit report, or to lift a security freeze for a specified period of time, you must submit a request through a toll-free telephone number, a secure electronic means maintained by a credit reporting agency, or by sending a written request via regular, certified, or overnight mail to the credit reporting agencies and include proper identification (name, address, and Social Security number) and the PIN or password provided to you when you placed the security freeze as well as the identity of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have 1 business day after receiving your request by toll-free telephone or secure electronic means, or 3 business days after receiving your request by mail, to lift the security freeze for those identified entities or for the specified period of time.

To remove the security freeze, you must submit a request through a toll-free telephone number, a secure electronic means maintained by a credit reporting agency, or by sending a written request via regular, certified, or overnight mail to each of the 3 credit bureaus and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have 1 business day after receiving your request by toll-free telephone or secure electronic means, or 3 business days after receiving your request by mail, to remove the security freeze.

Federal Trade Commission and State Attorneys General Offices. If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission (“FTC”), proper law enforcement authorities, and/or the Attorney General’s office in your home state. You may also contact these agencies, as well as consumer reporting agencies, for information how to prevent or avoid identity theft and about fraud alerts and security freezes. You have the right to file a police report if you ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. This notice has not been delayed by law enforcement.

You may contact the FTC, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/bcp/edu/microsites/idtheft/, 1-877-IDTHEFT (438-4338).

For California residents: You may also wish to review the information provided by the California Attorney General at https://oag.ca.gov/idtheft.

For Maryland residents: You may obtain information about avoiding identity theft from the Maryland Attorney General’s Office: Office of the Attorney General of Maryland, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us/Consumer, Telephone: (410) 576-6491.

For North Carolina residents: In addition to the FTC, you may obtain information about preventing identity theft from the North Carolina Attorney General at https://ncdoj.gov/protecting-consumers/protecting-your-identity/protect-yourself-from-id-theft, by writing to 9001 Mail Service Center, Raleigh, NC 27699-9001, or calling 1-877-566-7226 or 1-919-716-6000.

For New York residents: You may obtain additional information about security breach response and identity theft prevention and protection from the New York State Office of the Attorney General at https://ag.ny.gov/ or by calling 1-800-771-7755; the New York State Police at http://troopers.ny.gov/ or by calling 1-518-457-6721; and/or the New York Department of State at https://www.dos.ny.gov or by calling 1-800-697-1220.

For New Mexico Residents: You have rights pursuant to the Fair Credit Reporting Act (“FCRA”), such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the FCRA, the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to be provided to employers; you may limit "prescreened" offers of credit and insurance you get based on information in your credit report; and you may seek damages from violator. You may have additional rights under the FCRA not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to the FCRA. We encourage you to review your rights pursuant to the FCRA by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf, or by writing Consumer Response 30-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.

For Oregon Residents: You are advised to report any suspected identity theft to law enforcement, the FTC, and the Oregon Attorney General at https://doj.state.or.us, by calling (877) 877-9392, or writing to the Oregon Department of Justice, 1162 Court Street NE, Salem, OR 97301-4096.