On November 28, 2023, we posted notice on this site that Capital Health experienced network outages due to a cybersecurity incident. Our investigation of that incident is ongoing. However, we are updating our earlier notice to provide more information about the incident.
Our investigation determined that an unauthorized actor gained access to certain of our systems from November 11 - 26, 2023. Importantly, we continued caring for patients throughout our response to the incident and all our hospitals and clinics are operating normally.
On or about December 1, the forensic investigation determined that the unauthorized third party acquired and/or accessed certain files on the organization’s network. At this point, we have found no evidence that personal information or protected health information has been misused.
What are we doing?
Upon learning of the incident, we immediately launched an investigation with the assistance of a leading outside forensic security firm to determine the nature and scope of the activity and confirm the security of our computer systems and network. We also reported the incident to law enforcement.
We are currently in the process of conducting a detailed review of the affected files to determine whether personal information or protected health information was present and to whom the information relates. This process is time-intensive, but ultimately necessary to properly identify potentially affected individuals. Depending on our findings, we may follow this notice by sending letters to impacted individuals at the mailing address we have on file in accordance with applicable laws.
Out of an abundance of caution, and in accordance with applicable law, we are providing this notice to you so that you can take steps to minimize the risk that your information will be misused. We have included a brief description of steps you can take to protect your identity, credit, and personal information.
As an added precaution, we are also offering complimentary access to identity monitoring, fraud consultation, and identity theft restoration services to help mitigate any potential for harm at no cost to you. Please see below for more information on enrollment in these services.
Capital Health endeavors to protect the privacy and security of personal information and protected health information. We have worked diligently to determine how this incident happened and are taking appropriate measures to prevent a similar situation in the future. Since the incident we have implemented a series of cybersecurity enhancements, including installation of additional endpoint detection and response software, and resetting all passwords.
What information was involved?
Capital Health is working diligently to determine precisely who has been impacted by this cyber breach. Likewise, Capital Health is in the process of determining the exact nature of data affected. This work is ongoing. Based on our investigation to date, and consistent with other cyber breach incidents which have impacted not only healthcare but other industries as well, we believe there is a possibility that the following types of information may have been involved in the incident: names, addresses, social security numbers, dates of birth, email addresses, telephone numbers and potentially clinical information.
What can you do?
As with any data incident, we recommend that you remain vigilant and consider taking steps to avoid identity theft, obtain additional information, and protect your personal information. Common passwords or passwords you may be using on multiple accounts should be updated to new complex passwords for added security. More steps are described below.
As noted above, we are offering complimentary access to identity monitoring, fraud consultation, and identity theft restoration services to help mitigate any potential for harm. Beginning Friday, February 2, 2024, we encourage potentially affected individuals to contact IDX with any questions and to enroll in identity protection services at no cost by calling 888-906-4476. IDX representatives are available Monday through Friday from 9 am-to-9 pm Eastern Time. Please note the deadline to enroll is April 30, 2024.
We sincerely apologize for this situation and any inconvenience it may cause you.
Recommended steps to help you protect your information:
We recommend you remain vigilant and consider taking the following steps to avoid identity theft, obtain additional information, and protect your personal information:
Obtain Your Credit Report. Order your free credit report at www.annualcreditreport.com, call toll-free at 877-322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s website at www.ftc.gov. When you receive your credit report, review the entire report carefully. Look for any inaccuracies and/or accounts you don’t recognize and notify the credit bureaus as soon as possible in the event there are any. You have rights under the federal Fair Credit Reporting Act (“FCRA”). These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information.
Place a Fraud Alert on Your Credit File. A fraud alert helps protect you against an identity thief opening new credit in your name. With this alert, when a merchant checks your credit history when you apply for credit, the merchant will receive a notice that you may be a victim of identity theft and to take steps to verify your identity. You also have the right to place a “security freeze” on your credit file. A security freeze generally will prevent creditors from accessing your credit file at the three nationwide credit bureaus without your consent. You can place a fraud alert or request a security freeze by contacting the credit bureaus. The credit bureaus may require that you provide proper identification prior to honoring your request.
P.O. Box 740241
Atlanta, GA 30374
P.O. Box 9532
Allen, TX 75013
P.O. Box 2000
Chester, PA 19016
Remove your name from mailing lists of pre-approved offers of credit for approximately six months. If you aren’t already doing so, please pay close attention to all bills and credit-card charges you receive for items you did not contract for or purchase. This includes explanation of benefits and health insurance policy statements. Review all your bank account statements frequently for checks, purchases or deductions not made by you. Note that even if you do not find suspicious activity initially, you should continue to check this information periodically since identity thieves sometimes hold on to stolen personal information before using it.
The Federal Trade Commission (“FTC”) offers consumer assistance and educational materials relating to identity theft, privacy issues, and how to avoid identity theft. You may also obtain information about fraud alerts and security freezes from the consumer reporting agencies, your state Attorney General, and the FTC. If you detect any incident of identity theft or fraud, promptly report the incident to your local law enforcement authorities, your state Attorney General, and/or the Federal Trade Commission (“FTC”). You can learn more about how to protect yourself from becoming an identity theft victim (including how to place a fraud alert or security freeze) by contacting the FTC at 1-877-IDTHEFT (1-877-438-4338), or www.ftc.gov/idtheft. The mailing address for the FTC is: Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW Washington, DC 20580. You have the right to obtain a copy of the applicable police report, if any, relating to this incident.
For District of Columbia Residents: You can obtain additional information about steps to take to avoid identity theft from the Office of the Attorney General for the District of Columbia, 441 4th Street, NW, Washington, DC 200001, 202-727-3400, www.oag.dc.gov.
For Maryland Residents: You can obtain information about steps you can take to help prevent identity theft from the Maryland Attorney General at: 200 St. Paul Place, Baltimore, MD 21202, 888-743-0023, www.marylandattorneygeneral.gov.
For New Mexico Residents: You have rights under the federal Fair Credit Reporting Act (FCRA). These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act or www.ftc.gov. In addition, New Mexico consumers may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act. For more information about New Mexico consumers obtaining a security freeze, go to http://consumersunion.org/pdf/security/securityNM.pdf.
For New York Residents: You may also contact the following state agencies for information regarding security breach response and identity theft prevention and protection information: 1) New York Attorney General, (212) 416-8433 or https://ag.ny.gov; or 2) NYS Department of State’s Division of Consumer Protection, (800) 697-1220 or https://dos.ny.gov/consumer-protection.
For North Carolina Residents: You can obtain information about steps you can take to help prevent identity theft from the North Carolina Attorney General at: 9001 Mail Service Center, Raleigh, NC 27699, 1-877-566-7226, www.ncdoj.gov.
For Rhode Island Residents: You may contact and obtain information from and/or report identity theft to your state attorney general at:
Rhode Island Attorney General’s Office
150 South Main Street
Providence, RI 02903
Phone: (401) 274-4400