A reader sent me a link to a breach notice that a relative had received from Apex Laboratory on Long Island. I’m reproducing the contents below:
Apex Laboratory, Inc.
110 Central Ave – Farmingdale, NY 11735RE: Important Security and Protection Notification.
Please Read This Entire Letter.
Dear Valued Clients of Apex Laboratory, Inc.,We are writing to let you know that on July 30, 2012, Apex Laboratory, Inc. was informed by law enforcement investigators that an unauthorized individual(s) recently gained access to one of our computer systems and viewed certain personal information about a number of our patients. At the request of law enforcement this notification was not immediately sent so as not to compromise their investigatory efforts. The system which was accessed contained names, addresses, phone numbers, dates of birth, gender, social security numbers, and insurance identification numbers. We do not believe that any information pertaining to any of our patients’ health conditions or treatments was viewed by anyone without proper authorization.
While we believe that only a small percentage of our patients’ records were accessed by the unauthorized individual(s), we are providing this notice to all of our patients whose social security numbers are maintained on the system that was accessed. Although we currently have no reason to believe that information from our system has been misused, we want to inform you of the incident and let you know what steps you can take to protect yourself from fraud and identity theft.
As a precaution, we recommend that you contact the IRS Identity Protection Specialized Unit at 1-800-908-4490 where they will secure your account against possible fraudulent income tax returns. We also recommend that you place a fraud alert on your consumer credit file. A fraud alert lets potential creditors who access your credit file know to be especially cautious for indicators of suspicious activity and to take extra care to ensure any credit applications are legitimately authorized. To place a fraud alert, which is free of charge, you can call any one of the three major credit bureaus, which will notify the other credit bureaus on your behalf.
Experian: l-888-397-3742
Equifax: l-800-525-6285
TransUnion: 1-800-680-7289
There does not seem to be any notice on Apex’s web site at this time. In time, we’ll find out if it is posted on HHS’s breach tool.
It’s interesting that they recommend contacting the IRS Identity Protection Specialized Unit. That’s not the typical recommendation I see in such notifications, and I wouldn’t be surprised if law enforcement had provided them with information suggesting that the data were accessed and acquired to use in a tax refund fraud scheme.
Update: a recipient of the letter informs PHIprivacy.net that it was dated September 4.
Where’s the free year (or more) of credit monitoring? My non-medical business had to pay a mandated minimum amount of online/internet/advertising/libel/digital security insurance as part of the professional liability/completed projects type of insurance that my type of business was exposed to. It was automatically included in the quote, and part of the policy after it was approved, signed and paid. There was options to buy more coverage, but the minimum coverage was mandatory 15 years ago. Medical sites? With private health info/HIPAA? That are exposed to the internet? And which usually allow physicians/hospitals to log in & download patient info and test results? No insurance for data losses? Their site is running a windows server. With all the viruses, trojans and other malware infecting business networks runnung windows by simply opening an email with the malware payload…no insurance?