Little Rock, Arkansas – October 22, 2020 – Although we are unaware of any actual or attempted misuse, Arkansas Otolaryngology Center (“AOC”) is providing notice of a data privacy event impacting the security of information relating to certain patients and AOC employees.
What happened? On or around July 17, 2020, AOC became aware of suspicious activity relating to an employee email account that was sending unauthorized messages. We immediately launched an investigation to determine what may have happened. Working together with an outside computer forensics firm, our investigation determined that an unauthorized individual accessed four employee email accounts between July 17, 2020 and July 27, 2020. Because we were unable to determine which email messages in the accounts may have been viewed by the unauthorized actor, we reviewed the entire contents of the affected email accounts to identify what personal information was accessible to the unauthorized actor. On September 21, 2020, we identified the individuals potentially impacted by this incident after a thorough manual review of the impacted email accounts. Once we identified the individuals who were potentially impacted, AOC worked to confirm current mailing addresses for the impacted individuals and prepare an accurate written notice of this incident. AOC has worked since this time to locate valid mailing addresses for the potentially impacted individuals in order to provide notice of this event.
What information may have been affected by this incident? The accessed email accounts contained information related to certain patients and employees of AOC. The type of information affected varies per impacted individual, and includes one or more of the following types of information: name, date of birth, Medical Record Number (MRN), Social Security number, diagnosis, doctor’s name, driver’s license number or state identification card number, insurance group number, treatment location, and treatment or procedure type or code. For a very small number of individuals, a financial account number was impacted.
Although we cannot confirm that any individual’s personal information was actually accessed, or viewed without permission, we are providing this notice out of an abundance of caution. We do not have any evidence of actual or attempted misuse of any individual’s information as a result of this incident.
How will individuals know if they are affected by this incident? AOC is mailing notice letters to the individuals for whom we have valid mailing addresses whose protected information was contained within the affected email accounts and may have been accessed or acquired by an unauthorized actor. If an individual did not receive a letter but would like to know if they are affected, they may call the hotline listed below.
What is AOC doing in response? Information privacy and security are among our highest priorities. We have strict security measures to protect the information in our possession. Upon learning of this incident, AOC changed all employee email account passwords and took steps to secure the accounts. AOC is currently implementing additional technical safeguards as well as training and education for employees to prevent similar future incidents. We are also offering the impacted individuals access to complimentary credit monitoring services as an added precaution. Because AOC has insufficient contact information for some of the individuals whose information may be contained in the impacted email accounts, we are providing notice to those potentially impacted individuals by way of a notification published to Arkansas media outlets.
Whom should individuals contact for more information? If individuals have questions or would like additional information, they may call our dedicated assistance line at 1-800-939-4170 (toll free), Monday through Friday, 8:00 a.m. to 8:00 p.m., Central Time.
What can individuals do to protect their information? While AOC is unaware of any actual or attempted misuse of any information involved in this incident, we encourage those potentially impacted by the event to take steps to better protect against identity theft and fraud if they feel it is appropriate to do so.
Monitor Your Accounts. To protect against the possibility of identity theft or other financial loss, AOC encourages you to remain vigilant, to review your account statements, Explanation of Benefits statements, and to monitor your credit reports for suspicious activity.
Credit Reports. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report.
Security Freeze. You have the right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. In order to request a security freeze, you will need to supply your full name, address, date of birth, Social Security number, current address, all addresses for up to five previous years, email address, a copy of your state identification card or driver’s license, and a copy of a utility bill, bank or insurance statement, or other statement proving residence.
Should you wish to place a security freeze, please contact the major consumer reporting agencies listed below:
PO Box 9554
Allen, TX 75013
P.O. Box 2000
Chester, PA 19016
PO Box 105788
Atlanta, GA 30348-5788
To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three (3) business days after receiving your request to remove the security freeze.
As an alternative to a security freeze, you have the right to place an initial or extended “fraud alert” on your file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the agencies listed below:
P.O. Box 2002
Allen, TX 75013
P.O. Box 2000
Chester, PA 19016
P.O. Box 105069
Atlanta, GA 30348
Additional Information. You can further educate yourself regarding identity theft, and the steps you can take to protect yourself, by contacting your state Attorney General or the Federal Trade Commission. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue, NW, Washington, DC 20580; www.ftc.gov/idtheft; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should be reported to law enforcement, your Attorney General, and the FTC. You can also further educate yourself about placing a fraud alert or security freeze on your credit file by contacting the FTC or your state’s Attorney General. This notice was not delayed by a law enforcement investigation.