FOR IMMEDIATE RELEASE - TUESDAY FEBRUARY 1ST, 2012

Metro Community Provider Network (MCPN)

Personal Health Information Breach

On Monday, December 5th, 2011, Metro Community Provider Network became aware that a hacker potentially accessed the personal health information of some of our patients’ personal health information. We identified the date of the information breach to be Monday, December 5th, 2011; the same day we became aware of the breach. We are notifying affected individuals in as timely a manner as possible so they may take swift personal action along with our organization’s efforts to reduce or eliminate potential harm. The incident involving protected health information was a result of an email phishing scam. In this incident; a hacker sent an email to several of Metro Community Provider Network’s employees that claimed to be from a trusted source. The email asked for the employee to click on a link and provide login information.  This was then used to gain access to the employee’s confidential emails. It is important to note that none of our employees had any intention to cause patients any harm, nor did they have any intention of allowing a hacker to access personal information; they were victims of a scam.

The information that has potentially been accessed includes patients’ names,  phone numbers, dates of birth, diagnoses (limited to diabetes, hypertension, hyperlipidemias and weight loss) and MCPN internal account numbers.  No credit card or bank account information of any kind was accessed by the hacker.  Approximately 2000 patients may have been affected.

While the types of information disclosed does not appear to present a high risk of identity theft, we recommend that our patients who may have been affected take the following steps to protect themselves from additional harm as a result of this information leak. Patients should contact us at the toll free number 1-855-687-6276 and our customer care staff will be able to inform them if their information may have been accessed. Steps patients can take include:

• Register a fraud alert with the three credit bureaus listed here; and order copies of credit reports if applicable:
  
  • Experian: 1-888-397-3742; www.experian.com; PO Box 9532, Allen, TX 75013
    
  • Transunion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, PO Box 6790, Fullerton, CA 92834-6790
  • Equifax: 1-800-525-6285; www.equifax.com; PO Box 740241, Atlanta, GA 30374-0241
• Monitor account statements, Insurance Explanations of Benefits, and credit reports closely for items that don’t appear to be the patient’s actions that occurred after the incident occurred on 12/5/2011.
• Contact their state’s consumer protection agency. In Colorado, this is the office of the Colorado State Attorney General, 1525 Sherman St., Denver, CO 80203; 1-800-222-4444; or on the web at http://www.coloradoattorneygeneral.gov/initiatives/identity_theft
• Complete the Medical Identity Theft Response Checklist for Consumers by visiting this link on a computer: http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_039114.pdf - we are unable to provide you with a printed copy of this resource because it is protected by U.S. Copyright law.

Metro Community Provider Network immediately took action to stop this disclosure and to protect all of our patients’ personal health information from further harm or similar circumstances. Metro Community Provider Network has taken the following actions in response to this incident:

• Initiated a forensic investigation
• Required affected users to immediately change their password (this action effectively stopped further access to information)
• Required affected users to immediately review each and every email in their account and accurately provide the personal information that was potentially accessed
• Performed a phishing test of our users in a controlled and secure environment to identify areas where further education is necessary so that our users know the threat and how to protect our valued customers’ personal information
• Provide annual training to staff regarding personal health information and how important it is to our valued customers to safeguard this information
• Scheduled education of all computer systems users about the threat of phishing and the damage that it can cause to Metro Community Provider Network and our valued customers
• Implementing policies and procedures that will provide severe sanctions against any employee of Metro Community Provider Network that acts in a manner that poses a risk of breach of information

Metro Community Provider Network sincerely apologizes for the inconvenience and concern this incident causes. Information privacy is very important to us and we will continue to do everything that we can to correct this situation and fortify our operational protections for all of our valued customers.

Patients may contact us with any questions or concerns that they have regarding this incident:

• Call us toll free at 1-855-687-MCPN (6276) between the hours of 8:00 am and 4:00 pm Monday through Friday
• Email us at hipaa@mcpn.org
• Send us a letter at
  • Metro Community Provider Network
    Attention: HIPAA Privacy Officer
    3701 S Broadway St., Englewood, CO 80113