Adirondacks ACO, LLC (“Adirondacks ACO”) is committed to protecting the confidentiality and security of patient information that it receives. Regrettably, this notice concerns an incident involving some of that information.
Adirondacks ACO is an accountable care organization, which consists of various health care providers (“members”). ACO providers coordinate amongst themselves, and with each individual, to improve the individual’s quality of care. To help accomplish this function, we receive and analyze patient information pertaining to the services ACO member providers provide to patients. On May 3, 2019, we notified certain of our members that we recently discovered unauthorized remote access to an email account assigned to a joint employee of Adirondacks ACO and Champlain Valley Physician’s Hospital (“CVPH”), one of our partner hospitals. CVPH determined that the unauthorized access occurred between March 2 and March 4, 2019. CVPH performed a comprehensive review of the account’s content and determined that emails and/or attachments reflected services performed by Adirondacks ACO related to its member providers and carriers, and included some patient information. The information may have included patients’ names, dates of birth, Medicare ID numbers or health insurance numbers, and limited treatment and/or clinical information. In a limited number of instances, patients’ social security numbers were also included in the account.
This incident did not affect all of the ACO’s members’ patients; but only those patients who had information contained in the affected email account.
There is no indication that any patient information has been misused. However, we mailed notification letters to our members’ patients whose information was identified in the account. We have also established a dedicated toll-free call center to answer questions patients may have about the incident. If you have questions, please call 1-877-347-0178, from 9:00 a.m. to 9:00 p.m. Eastern time, Monday through Friday.
For patients whose Social Security number was contained in the email account, we are offering complimentary credit monitoring and identity protection services. We also recommend patients review any billing or explanation of benefits statements they receive from their health care insurers or health care providers. If you see services they did not receive, you should contact the health insurer or provider immediately.
We regret any concern or inconvenience this incident may cause. We remain committed to protecting the confidentiality and security of our members’ information. To help prevent something like this from happening in the future, Adirondacks ACO and CVPH continue to assess systems and implement safeguards to address risks. We are also reinforcing employee training on how to detect and avoid phishing emails.