Monday, September 13, 2021
Notice of Data Security Incident
View the Malware Incident FAQ
San Juan Regional Medical Center (“SJRMC”) identified unauthorized access to their network on September 8, 2020. Upon learning of the issue, SJRMC immediately took steps to secure the network and mitigate against any additional harm. After an extensive forensic investigation we determined that as part of this incident, an unauthorized individual removed information from our network September 7-8, 2020. Following a thorough manual document review of the files that were removed, we discovered on July 13, 2021 that the impacted files contained the personal and protected health information of certain patients who are now being notified.
The impacted information includes names, dates of birth, Social Security numbers, driver’s license numbers, passport information, financial account numbers, health insurance information, and medical information (diagnosis, treatment, medical record number, patient account number). This incident does not impact all SJRMC patients and not all information was impacted for all individuals. SJRMC is now notifying individuals so that they can take steps to protect their information.
We have no evidence that any of information has been misused. Nevertheless, in addition to providing this website notice, SJRMC is sending notification to all affected patients for whom we have enough information to determine a physical address. We have also set up a dedicated call center. SJRMC is offering complimentary credit monitoring services to those individuals whose Social Security numbers were contained in the files that were removed. Notified individuals can also take additional precautionary measures, including placing fraud alerts and/or security freezes on credit files, and obtaining a free credit report. Additionally, individuals should always remain vigilant in reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis. Notified patients should monitor insurance statements for any unauthorized transactions.
SJRMC previously identified and notified patients of this incident. The manual document review of the impacted files was extensive and required significant time to complete. As a result, SJRMC provided two rounds of notification – one in June and one in September.
SJRMC takes this incident and security of personal information very seriously. Cybersecurity threats continue to evolve and as a result, SJRMC has taken additional steps to secure its network and improve internal procedures to identify and remediate future threats. SJRMC continues to assess and update its internal policies and procedures in order to minimize the risk of a similar incident in the future.
For further questions or additional information regarding this incident, or to determine if you may be impacted by this incident, please contact the dedicated toll-free response at 855-535-1836, Monday through Friday, 7:00 am to 7:00 pm Mountain Time.
– OTHER IMPORTANT INFORMATION –
Placing a Fraud Alert on Your Credit File.
You may place an initial one (1) year “fraud alert” on your credit files, at no charge. A fraud alert tells creditors to contact you personally before they open any new accounts. To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below. As soon as one credit bureau confirms your fraud alert, they will notify the others.
P.O. Box 105788
Atlanta, GA 30348
P.O. Box 9554
Allen, TX 75013
P.O. Box 6790
Fullerton, PA 92834-6790
Placing a Security Freeze on Your Credit File.
If you are very concerned about becoming a victim of fraud or identity theft, you may request a “security freeze” be placed on your credit file, at no charge. A security freeze prohibits, with certain specific exceptions, the consumer reporting agencies from releasing your credit report or any information from it without your express authorization. You may place a security freeze on your credit report by contacting all three nationwide credit reporting companies at the numbers below and following the stated directions or by sending a request in writing, by mail, to all three credit reporting companies:
Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
Experian Security Freeze
P.O. Box 9554
Allen, TX 75013
TransUnion Security Freeze
P.O. Box 2000
Chester, PA 19016
In order to place the security freeze, you’ll need to supply your name, address, date of birth, Social Security number and other personal information. After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.
Obtaining a Free Credit Report.
Under federal law, you are entitled to one free credit report every 12 months from each of the above three major nationwide credit reporting companies. Call 1-877-322-8228 or request your free credit reports online at www.annualcreditreport.com. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.
Additional Helpful Resources.
Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.
If your personal information has been used to file a false tax return, to open an account or to attempt to open an account in your name, or to commit fraud or other crimes against you, you may file a police report in the city in which you currently reside.
Protecting Your Medical Information.
The following practices can help to protect you from medical identity theft.
- Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care.
- Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or care provider for any items you do not recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access to current date.
- Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow up with your insurance company or the care provider for any items you do not recognize.