Vascular Surgical Associates Protected Health Information Breach
Vascular Surgical Associates was recently the victim of a hacking incident that may have resulted in inappropriate access to certain information about you. On or about September 13, 2016, we became aware of suspicious activity involving one of our computer servers. We initiated an investigation and learned that that one of our computer servers was accessed using a compromised vendor password around the time of a software application upgrade. As a result, computer hackers gained access to the server over a period of time from around March 25, 2016 until our internal IT staff discovered it on September 13, 2016. Our investigation has determined that these hackers probably reside in other countries.
Although our investigation was not able to definitively conclude whether the hackers actually accessed or obtained a particular individual’s information, it would have been possible for the hackers to access and obtain patient information about many of our current and former patients, including medical records and demographic information such as date of birth and address. No social security numbers or financial data was stored on the compromised server.
This incident did not involve or affect the security of our patient portal or our ability to continue to provide the high quality care you have come to expect from us. Upon learning of the incident and verifying the unauthorized access through forensic evaluation, we immediately secured the server so that this type of attack could not occur again. We are confident that none of our staff had any involvement in this incident, as the compromised password that was used to access the information was only available to our vendors and their staffs.
Letters have been sent to each of our patients potentially affected by this unfortunate event. The letters contain the steps that you can take to protect yourself from the potential misuse of this information. To the best of our knowledge, no social security numbers, no bank information, and no credit card data was on the server. We do however recommend that you monitor those accounts closely for the next year.
We have also reported the incident to the FBI and the U.S. Department of Health and Human Services Office for Civil Rights, each of whom will open an investigation. We feel very strongly that the people who took these wrongful actions against you and us should be brought to justice.
We deeply regret that this incident occurred. As part of our response to the incident, we have established a call center to personally address your concerns and answer your questions. Patients may contact the call center toll-free at (800)-550-6616 between 9:00 a.m. and 5:00 p.m. Eastern time, Monday through Friday.
Thank you for the opportunity to care for you and your family. We trust that our response to the bad actions of others demonstrates our unwavering commitment to providing you with the highest standard of care. Our patients matter to us.