Notice of Data Security Incident
Santa Rosa Community Health (“SRCH”) recently learned of a data security incident involving a corporate email account that may have impacted a limited amount of protected health information (“PHI”). SRCH sincerely apologizes for any inconvenience this may cause impacted patients. Information about the incident and what SRCH has done in response can be found below.
SRCH recently identified suspicious activity associated with a corporate email account and engaged independent computer forensic experts to conduct an investigation to determine what occurred and whether any information may be at risk. As part of the forensic investigation, SRCH asked the investigators to review all email accounts in SRCH’s email environment. The investigation determined that an unauthorized actor gained access to one corporate email account that may have contained PHI. SRCH then engaged a vendor to review the contents of the email account and on December 30, 2020, received a report from the vendor that identified PHI, which may have been stored in the account. SRCH then expended significant time and effort to identify missing contact information and conduct other quality control checks on the data. This process concluded on January 20, 2021.
What information was involved?
From our investigation, it appears that the impacted information may have included names, in combination with one or more of the following elements: dates of birth, health insurance and billing information, and diagnoses and treatment plans. For a limited number of individuals, Social Security numbers were impacted. Bank account information, or other financial account information was not contained in the email account and remains secure.
What is SRCH doing?
SRCH has performed a global password reset for all email accounts, increased anti-malware and spam email filters, and is implementing multi-factor authentication on all email accounts. SRCH is also retraining employees on recognizing and responding to suspicious emails. SRCH has mailed letters to impacted individuals and provided notice to appropriate regulators, and offered credit monitoring and identity restoration services through IDX to individuals whose Social Security numbers were impacted.
For more information: To determine whether your information was impacted or for more information about this incident, please call [TFN]. Individuals can also contact the Federal Trade Commission at 600 Pennsylvania Avenue NW, Washington, D.C. 20580, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261 or visit www.ftc.gov/idtheft/ for more information on protecting their identity.