Recently, FPS Medical Center, Ltd (“FPS”) confirmed that the company was the target of what it called a malware attack in which the personal information of 28,024 people was exposed. According to the FPS, the breach resulted in the leaked individuals’ full names, addresses, dates of birth, driver’s license numbers, medical information (including treatment and diagnostic information), and health insurance information. On May 6, 2022, FPS filed an official notice of the data breach and sent out data breach letters to all affected parties.
If you’ve received a data breach notification, it’s important that you understand what is at risk and what you can do about it. To learn more about how to protect yourself from being a victim of fraud or identity theft, and what your legal options are following the FPS Medical Center data breach, please read our recent article on the subject here.
What we know about the FPS Medical Center data breach
According to an official company statement, on March 3, 2022, FPS Medical Center discovered that some of its systems were encrypted with malicious software or malware. In response, FPS launched an internal investigation into the incident to learn more about its nature and scope, and to determine whether consumer data was compromised as a result. This investigation revealed that the company’s affected systems were accessible to the unauthorized person between February 28, 2022 and March 3, 2022. FPS subsequently learned that the files the unauthorized person had access to during that time contained sensitive consumer data.
When FPS Medical Center determined that sensitive consumer data was being accessed by unauthorized persons, it reviewed the affected files to determine exactly what information was compromised. While the information breached will vary from person to person, it may include your full name, address, date of birth, driver’s license, medical information, including treatment and diagnostic information, and health insurance information.
On May 6, 2022, FPS Medical Center sent out data breach letters to anyone whose information was compromised as a result of the recent data security incident.
More information about the FPS Medical Center
FPS Medical Center is a healthcare services company based in Lake Havasu, Arizona. The practice serves residents of Lake Havasu City, Bullhead City, La Paz County, and Mohave County, providing them with a variety of healthcare-related services, including laboratory testing, ultrasound services, echocardiogram services, electrocardiogram (ECG) services, skin biopsy services, joint injections, pulmonary function testing, Protime/INR checks.
What to do after you become aware of a data breach affecting your protected health information
While most people associate data breaches with leaking financial information or personal information like social security numbers, more and more hackers are orchestrating cyberattacks to obtain protected health information. Protected health information is information that identifies an individual or can be used to identify an individual. According to the US Department of Health and Human Services, protected health information refers to the following:
the past, present or future physical or mental health or condition of any person,
The provision of health care to a person, or
The past, present, or future payment for the provision of health care to an individual.
The biggest threat of a healthcare data breach is someone using your information to receive medical treatment on your behalf. This can lead to two major problems. First, after a healthcare data breach, you may be billed for services that you did not receive. Second, having someone receive care on your behalf may result in your medical records containing incorrect information, such as: B. what prescriptions you are taking and what medicines you are allergic to.
Healthcare data breaches pose different risks and concerns than other types of data security incidents. Experian reports that the average cost of remediating a healthcare data breach is approximately $13,500, compared to the average cost of remediating a traditional data breach of approximately $1,300.
Given this reality, it is important that those whose protected health information has been compromised as a result of a data breach take specific steps to protect themselves.
Gather documentation and report the data security incident
The first thing to do after a data breach affecting your Protected Health Information is to gather all the breach documentation. This includes the company’s data breach letter and any fraudulent medical bills you receive in the mail. You should also notify the Federal Trade Commission by filing an identity theft report.
Check your current medical records
This next step is perhaps the most difficult, but also the most important. You should collect and review all of your medical records to ensure they are still accurate. When reviewing your records, look out for unfamiliar treatments. You should also verify that the addresses and phone numbers in the records are accurate and up to date.
Request providers correct all errors
If you discover an error in your medical records, you should request the provider to correct the error immediately. Medical providers have a legal obligation to correct substantiated claims of error.
Individuals who have questions about what to do after a data breach and their rights against the company that disclosed their information should contact an experienced data breach attorney as soon as possible.
Below is a copy of FPS Medical Center’s original data breach letter (the actual notice to consumers can be found here here):
FPS Medical Center (“FPS”) is writing to notify you of a recent event that may affect the security of some of your information. While there is no indication that your information has been misused in connection with this event, we will provide you with information about the event, our response to it and what you can do to better protect your personal information if you do so if you deem it appropriate.
What happened? On or about March 3, 2022, we learned that certain systems on our computer network were encrypted with malware provided by an unknown actor. In response, we launched an investigation to determine the full nature and scope of the incident. The investigation revealed that our systems were accessible to the unknown actor between February 28, 2022 and March 3, 2022. Although the investigation could not determine whether the patient information stored in the affected systems was actually viewed or taken by the unauthorized actor, we could not rule out the possibility of such activity. Therefore, as a precautionary measure, a thorough review of patient information stored in affected systems was conducted to find address information for potentially affected individuals in order to provide accurate and complete notifications. This review was completed by April 25, 2022.
What information was it about? The following types of patient information were present in the affected systems during the event: full name, address, date of birth, driver’s license, medical information including treatment and diagnostic information, and health insurance information. For a limited number of people, the social security number may also have been present. However, we currently have no evidence that any information has been misused as a result of this event.
What are you doing. We take this event and the security of the information entrusted to us very seriously. Upon learning of this incident, we immediately took steps to restore our operations and further secure our systems. As part of our ongoing commitment to the confidentiality of information in our custody, we review our existing policies and procedures and implement additional administrative and technical safeguards to further secure the information in our systems and reduce the risk of recurrence. In addition, we have reported this event to law enforcement and are notifying appropriate government regulators, including the US Department of Health and Human Services.
What you can do. We encourage you to stay alert to incidents of identity theft and fraud by reviewing your bank statements and benefit statements, and monitoring your credit reports for suspicious activity and detecting errors. Please check the attached Steps you can take to help protect personal information for useful information about what you can do to better protect yourself against possible misuse of your data.
For more informations. If you have additional questions, you can call our dedicated support hotline at 877-587-4021 (toll-free), Monday through Friday, 9:00 a.m. to 9:00 p.m. Eastern Time, excluding US holidays. You may also write to FPS at 297 S. Lake Havasu Avenue, Suite 204, Lake Havasu City, AZ 86403.