Health Quest Medical Practice (“HQMP”) is a healthcare provider and maintains information related to those services. This notice relates to HQMP’s ongoing investigation of an incident that may have involved some patients’ information. This notice explains the incident, measures HQMP has taken and some steps that can be taken in response.
On April 2, 2019, through HQMP’s ongoing investigation of a phishing incident, HQMP determined an unauthorized party may have gained access to emails and attachments in several employee email accounts that may have contained patient information. HQMP first learned of a potential incident in July 2018, when several employees were deceived by a phishing scheme, which resulted in certain workforce members being tricked into inadvertently disclosing their email account credentials to an unauthorized party. Although these phishing emails appeared to be legitimate, they were sent by an unknown actor and were designed to have the recipients disclose their email account usernames and passwords. Upon learning of the incident, the employee email accounts in question were secured and a leading cybersecurity firm was engaged to assist us in our investigation. As part of the investigation, HQMP performed a comprehensive review of the contents of the email accounts in question to determine if they contained any sensitive information.
Through this ongoing review, on January 25, 2019, HQMP identified email attachments that contained certain health information, and on April 2, 2019, were determined to contain patient information, which may have included names, provider names, dates of treatment, treatment and diagnosis information, and health insurance claims information, related to services some patients received at HQMP between January 2018 and June 2018.
Although, to date, HQMP has no evidence that any information has been misused or was in fact viewed or accessed, HQMP began notifying the potentially affected individuals on May 31, 2019, and we have established a dedicated call center to answer any questions. If you believe you may be affected by this incident but did not receive a letter by June 10, 2019, please call, 1-800-277-0105, Monday through Friday, 9:00 a.m. to 6:30 p.m. EST.
HQMP regrets any inconvenience or concern this may cause you. To help prevent a similar incident from occurring in the future, HQMP is implementing multi-factor authentication for email and additional procedures to further expand and strengthen its security processes. HQMP is also providing additional training to its employees regarding phishing emails and other cybersecurity issues.