We are providing notice of a data security incident involving HMC Healthworks, Inc. (“HMC”) that may have resulted in the unauthorized access to certain individual’s personal information. We take the privacy and protection of our patient’s information very seriously. We sincerely apologize and regret any inconvenience this incident may cause. This notice contains information about what happened, steps we have taken, and the resources we are making available.
On October 13, 2020, HMC learned that certain Microsoft Office 365 email accounts were accessed by unauthorized entities and used to send unauthorized emails. HMC immediately engaged third-party forensic specialists to assist HMC in its analysis of any unauthorized activity. Through this investigation, it was determined that eleven email accounts maintained and utilized by HMC for business purposes were compromised on September 15, 2020. Emails were sent from these accounts to certain HMC employees, service providers who worked with HMC and individuals who were known to the employees whose email accounts were accessed.
What information was involved:
During our investigation, we discovered that the personal information of certain individuals, including their name and one or more of the following personal attributes was accessible to the unauthorized party: date of birth, current and any previous address, medical and health information including prescription information and, for a small percentage of individuals, Social Security number. At this time we do not have any evidence that any personal information has been misused. Nevertheless, we are notifying all potentially affected individuals out of an abundance of caution. We have begun mailing letters to individuals whose information was contained in the email accounts.
What we are doing and what you can do:
We take the security of all information in our control very seriously, and are taking steps to prevent a similar event from occurring in the future by implementing additional safeguards and security measures to enhance the privacy and security of information in our systems.
Although we are unaware of any misuse of our or anyone’s information, to help relieve concerns and restore confidence following this incident, we have secured the services of IDX to provide identity monitoring, at no cost, to affected individuals for twelve (12) months or twenty-four (24) months depending on individual state law requirements.
For More Information:
Please know that the protection and security of your personal information is of our outmost priority, and we sincerely regret ant concern or inconvenience that this matter may cause you. If you have any questions, please call IDX at 1-800-939-4170 Monday through Friday, 9am – 9pm Eastern Time.
Download PDF of Notice of Data Incident here.