Southern Indian Health Council, INC. Notifies Patients of Unauthorized Access to Patient Records

Contact: Southern Indian Health Council, Inc.; Quality Management Department
4058 Willows Rd., Alpine, CA 91901
619-445-1188
quality@sihc.org

SOUTHERN INDIAN HEALTH COUNCIL, INC. NOTIFIES PATIENTS OF UNAUTHORIZED ACCESS TO PATIENT RECORDS

Alpine, CA September 13, 2020 – Southern Indian Health Council, Inc. operates a Federally Qualified Health Clinic with locations in Alpine and Campo, California. At SIHC, our top priority is ensuring the health and wellbeing of our patients. SIHC takes its responsibility to safeguard the personal health information of its patients seriously as well as its obligation to inform patients of unauthorized access to their personal information. SIHC is notifying 693 Clinic patients of an incident involving the unauthorized access of an SIHC employee’s e-mail account by an anonymous hacker. SIHC has also reported the hacking incident to appropriate regulatory agencies.

SIHC learned that unauthorized access to its e-mail system occurred on May 11, 2020 when SIHC experienced a “phishing e-mail attack” by an anonymous hacker who accessed the e-mail account of one of SIHC’s employees. SIHC discovered the hacking incident on May 28, 2020 and moved quickly to stop the unauthorized access to the employee’s e-mail inbox and also conducted an investigation of the e-mail phishing attack. SIHC immediately disabled the employee’s mailbox and passwords were changed.

SIHC discovered on or about July 13, 2020 that some of the employee’s e-mails had attachments containing patient protected health information. The e-mails and attachments may have contained the patient’s name along with one or more of the following: address, date of birth, insurance identification number, insurance plan, billing information, diagnostic codes, and/or treatment information. SIHC determined that the e-mail hacker did not send any of these emails or their attachments to external locations by way of SIHC’s e-mail system. SIHC was, however, unable to determine whether or not the hacker viewed or accessed this information before the employee’s e-mail account was disabled. SIHC provides cybersecurity awareness training to its employees on a regular basis and will continue to emphasize security risks associated with “phishing” and other external hacking attacks.

While the personal information in the e-mails/attachments was limited, Clinic patients affected by this incident may wish to consider monitoring their credit report and/or placing a fraud alert or security freeze on their credit file. Clinic patients may contact the three major credit bureaus at the toll-free numbers or through the web sites listed below to place a fraud alert or security freeze on their credit file. The credit bureaus may charge a fee to place fraud alerts or security freezes.

Equifax: 1-888 298-0045 or www.equifax.com
Experian: 1-888-397-3742 or www.experian.com
TransUnion: (888)-909-8872 or www.transunion.com

Individuals who need further information regarding this security incident may call the following number 619-445-1188 ext. 372. or you can call 1-800-805-2683