Data Security Incident - PIH Health

Skip to Content

Notification of Data Security Incident

January 10, 2020 – PIH Health has become aware of a data security incident that may have impacted personal information and protected health information belonging to certain current and former patients.  On January 10, 2020, PIH Health notified potentially impacted individuals of this incident and provided resources to assist them. 

On June 18, 2019, PIH Health learned that certain PIH Health employee email accounts had potentially been accessed without authorization as a result of a targeted email phishing campaign. Upon learning of this information, PIH Health took steps to secure its email system and network, including resetting the passwords required to access potentially affected employee email accounts.  PIH Health also immediately launched an investigation and engaged leading, independent cybersecurity experts to provide assistance.  On October 2, 2019, as a result of this investigation, PIH Health learned that certain employee email accounts were accessed without authorization between June 11, 2019 and June 18, 2019 as a result of the above-referenced phishing campaign.  

Upon receipt of confirmation of unauthorized access to certain PIH Health employee email accounts, PIH Health engaged the same leading, independent cybersecurity experts to determine whether the accessed employee email accounts contained personal information and/or protected health information that may have been subject to unauthorized access as a result. On November 12, 2019, as a result of that review, PIH Health learned that information belonging to certain current and former patients was contained within the accessed email accounts. PIH Health then worked diligently to identify contact information for all potentially affected individuals  in order to provide them with notice of the incident. 

The above-referenced unauthorized access was limited to PIH Health email accounts and did not extend to other PIH Health information systems.  Moreover, PIH Health is not aware, and the independent forensic investigation did result in the identification of, any evidence that information involved in this incident has been misused.  Nonetheless, out of an abundance of caution, PIH Health provided notice to potentially affected individuals.  PIH Health takes the security of all information very seriously and is implementing additional security measures to help prevent a similar occurrence in the future. 

Notification letters were sent to all potentially impacted individuals whose contact information was identified on January 10, 2020.  The letters include information about this incident and about steps that potentially impacted individuals can take to monitor and help protect their information. Contact information for some potentially affected individuals was not identified and PIH Health is providing this website posting as substitute notice to those individuals. 

PIH Health has established a toll-free call center to answer questions about the incident and to address related concerns.  The call center is available Monday through Friday from 8 am to 7 pm Central Time and can be reached at 833.963.0527. In addition, as a precaution, PIH Health is offering complementary credit monitoring services through Kroll to some potentially impacted individuals. PIH Health also notified the U.S. Health and Human Services Office for Civil Rights and consumer reporting agencies of this incident. 

The privacy and protection of private information is a top priority for PIH Health.  PIH Health deeply regrets any inconvenience or concern this incident may cause. 

The following information is provided to help individuals wanting more information about  steps that they can take to protect themselves: 

What steps can I take to protect my private information? 

  • If you detect suspicious activity on any of your accounts, you should promptly notify the financial institution or company with which the account is maintained. You should also report any fraudulent activity or any suspected incidents of identity theft to law enforcement.
  • You may obtain a copy of your credit report at no cost from each of the three nationwide credit reporting agencies.  To do so, visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three agencies appears at the bottom of this page.
  • Notify your financial institution immediately of any unauthorized transactions made, or new accounts opened, in your name.
  • You can take steps recommended by the Federal Trade Commission to protect yourself from identify theft. The FTC’s website offers helpful information at www.ftc.gov/idtheft.

What should I do to protect myself from payment card/credit card fraud? 

We suggest that you review your debit and credit card statements carefully in order to identify any unusual activity.  If you see anything that you do not understand or that looks suspicious, you should contact the issuer of the debit or credit card immediately. 

How do I obtain a copy of my credit report? 

You can obtain a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies once every twelve (12) months.  To do so, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three agencies is included in the notification letter and is also listed at the bottom of this page. 

How do I put a fraud alert on my account? 

You may consider placing a fraud alert on your credit report. This fraud alert informs creditors of possible fraudulent activity within your report and requests that creditors contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact Equifax, Experian or TransUnion and follow the Fraud Victims instructions. To place a fraud alert on your credit accounts, contact your financial institution or credit provider. Contact information for the three nationwide credit reporting agencies is listed below. 

Contact information for the three nationwide credit reporting agencies is as follows:

Equifax Security Freeze
PO Box 105788
Atlanta, GA 30348
1-800-685-1111
www.equifax.com

Experian Security Freeze
PO Box 9554
Allen, TX 75013
1-888-397-3742
www.experian.com

TransUnion (FVAD)
PO Box 2000
Chester, PA 19022
1-800-888-4213
www.transunion.com