Notification of Data Security Incident

Notification of Data Security Incident

May 29, 2020 – Good Samaritan Hospital ("Good Sam") announced today that it provided notifications following a data security incident that may have impacted personal information and protected health information belonging to certain current and former patients. While Good Sam is not aware of any evidence to suggest that any information was actually viewed or misused, Good Sam takes the privacy and security of all information very seriously, and has worked diligently to remediate the incident and support those impacted.

On November 4, 2019, Good Sam learned that certain Good Sam employee email accounts had potentially been accessed without authorization as a result of a targeted email phishing campaign. Upon learning this, Good Sam took swift action to secure its email system and network. Good Sam also immediately launched an internal investigation and engaged leading, independent cybersecurity experts. As a result of this investigation, Good Sam confirmed that certain employee email accounts were accessed without authorization between October 28, 2019 and November 8, 2019 as a result of the above-referenced phishing campaign.

Good Sam worked with their outside cybersecurity experts to determine whether the accessed employee email accounts contained personal information and/or protected health information that may have been subject to unauthorized access as a result. On May 12, 2019, as a result of that review, Good Sam learned that information belonging to certain current and former patients was contained within the accessed email accounts and has worked diligently to provide notice of the incident to potentially affected emails. The information potentially impacted was within the affected employee email accounts in the normal couse and scope of business as a part of regular hospital operations. There is no evidence to suggest that any Good Sam employee acted maliciously.

The above-referenced unauthorized access was limited to Good Sam email accounts and did not extend to other Good Sam information systems. Moreover, as stated above, Good Sam is not aware of any information to suggest that any information within the affected email accounts was actually viewed or misused.

Based on the investigation conducted by Good Sam’s third-party forensic experts, we believe the goal of the unauthorized individual(s) was to utilize the affected email accounts to redirect employee direct deposit payments rather than obtaining patient information.

Nonetheless, out of an abundance of caution, Good Sam is providing notice to those potentially affected individuals. The notices include information about this incident and about steps that potentially impacted individuals can take to monitor and help protect their information. Unfortunately, phishing events have become more common and the phishing campaign experienced by Good Sam is similar to others experienced by other companies and industries. Good Sam takes the security of all information very seriously and is implementing additional security measures to help prevent a similar occurrence in the future.

Good Sam has established a toll-free call center to answer questions about the incident and to address related concerns. The call center is available Monday through Friday from 8:00 a.m. to 5:00 p.m. Pacific Time and can be reached at (844) 989-2768. In addition, Good Sam is offering complimentary credit monitoring services through Kroll to relevant impacted individuals. Good Sam also notified the U.S. Health and Human Services Office for Civil Rights and consumer reporting agencies of this incident.

The privacy and protection of private information is a top priority for Good Sam. Good Sam deeply regrets any inconvenience or concern this incident may cause.

The following information is provided to help individuals wanting more information about steps that they can take to protect themselves:

What steps can I take to protect my private information?

  • If you detect suspicious activity on any of your accounts, you should promptly notify the financial institution or company with which the account is maintained. You should also report any fraudulent activity or any suspected incidents of identity theft to law enforcement.
  • You may obtain a copy of your credit report at no cost from each of the three nationwide credit reporting agencies. To do so, visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three agencies appears at the bottom of this page.
  • You can take steps recommended by the Federal Trade Commission to protect yourself from identify theft. The FTC’s website offers helpful information at www.ftc.gov/idtheft.

How do I obtain a copy of my credit report?

You can obtain a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies once every twelve (12) months. To do so, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three agencies is included in the notification letter and is also listed at the bottom of this page.

How do I put a fraud alert on my account?

You may consider placing a fraud alert on your credit report. This fraud alert informs creditors of possible fraudulent activity within your report and requests that creditors contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact Equifax, Experian or TransUnion and follow the Fraud Victims instructions. To place a fraud alert on your credit accounts, contact your financial institution or credit provider. Contact information for the three nationwide credit reporting agencies is listed below.

Contact information for the three nationwide credit reporting agencies is as follows:

TransUnion

Fraud Victim Assistance Dept.

P.O. Box 6790

Fullerton, CA 92834

1-800-680-8289

www.transunion.com

Experian

National Consumer Assistance

P.O. Box 1017

Allen, TX 75013

1-888-397-3742

www.experian.com

Equifax

Consumer Fraud Division

P.O. Box 105069

Atlanta, GA 30348

1-800-525-6285

www.equifax.com