FPS Medical Center, Ltd. Experiences Malware Attack, Exposing Information of More Than 28,000 People

Richard Console, Jr.
Console and Associates, P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

Recently, FPS Medical Center, Ltd (“FPS”) confirmed that the company was the target of what it characterizes as a malware attack that exposed the personal information of 28,024 people. According to the FPS, the breach resulted in the full names, addresses, dates of birth, driver’s license numbers, medical information (including treatment and diagnosis information), and health insurance information of affected individuals being compromised. On May 6, 2022, FPS filed official notice of the breach and sent out data breach letters to all affected parties.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the FPS Medical Center data breach, please see our recent piece on the topic here.

What We Know About the FPS Medical Center Data Breach

According to official notice filed by the company, on March 3, 2022, FPS Medical Center discovered that some of its systems had been encrypted with malicious software, or malware. In response, FPS launched an internal investigation into the incident to learn more about its nature and scope, as well as to determine if any consumer data was compromised as a result. This investigation revealed that between February 28, 2022 and March 3, 2022, the company’s affected systems were accessible to the unauthorized party. Subsequently, FPS learned that the files that the unauthorized party had access to during this time contained sensitive consumer data.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, FPS Medical Center then reviewed the affected files to determine exactly what information was compromised. While the breached information varies depending on the individual, it may include your full name, address, date of birth, driver’s license, medical information, including treatment and diagnosis information, and health insurance information.

On May 6, 2022, FPS Medical Center sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

More Information About FPS Medical Center

FPS Medical Center is a healthcare services company based in Lake Havasu, Arizona. The practice serves residents of Lake Havasu City, Bullhead City, La Paz County and Mohave County, providing them with a variety of healthcare-related services, including laboratory testing services, ultrasound services, echocardiogram services, electrocardiogram (EKG) services, skin biopsy services, joint injections, pulmonary functions test, Protime/INR checks.

What to Do After Learning About a Data Breach Affecting Your Protected Health Information

While most people associate data breaches with leaking financial information or personal data, such as Social Security numbers, an increasing number of hackers are orchestrating cyberattacks designed to obtain protected health information. Protected health information is information that identifies an individual or may be used to identify an individual. According to the U.S. Department of Health and Human Services, protected health information relates to any of the following:

  • A person’s past, present or future physical or mental health or condition,

  • The provision of health care to a person, or

  • The past, present, or future payment for the provision of health care to a person.

The most significant threat presented by a healthcare data breach is that someone uses your information to receive medical treatment using your name. This can lead to two major problems. First, after a healthcare data breach, you may end up getting billed for services that you did not receive. Second, if someone obtains care in your name, it may lead to your medical records containing incorrect information, such as what prescriptions you take and what medications you are allergic to.

Healthcare data breaches pose different risks and concerns from other types of data security incidents. In fact, Experian reports that the average cost to resolve a healthcare data breach is approximately $13,500, compared to the average cost of resolving a traditional data breach is roughly $1,300.

Given this reality, it is important for those who have had their protected health information compromised as a result of a data breach to take certain steps to protect themselves.

Gather Documentation and Report the Data Security Incident

The first thing to do after a data breach affecting your protected health information is to assemble all documentation of the breach. This includes the data breach letter from the company and any fraudulent medical bills you receive in the mail. You should also notify the Federal Trade Commission by submitting an Identity Theft Report.

Review Your Current Medical Records

This next step is perhaps the most difficult but also the most important. You should collect all your medical records and review them to ensure they are still accurate. When reviewing your records, look for any unfamiliar treatments. You should also verify that the addresses and phone numbers in the records are correct and up-to-date.

Request Providers Correct All Errors

If you notice an error in your medical records, you should request that the provider correct the error immediately. Medical providers have a legal duty to correct substantiated claims of an error.

Those with questions about how to proceed after a data breach and what rights they have against the company that leaked their information should reach out to an experienced data breach lawyer as soon as possible.

Below is a copy of the initial data breach letter issued by FPS Medical Center (the actual notice sent to consumers can be found here):

Dear [Consumer],

FPS Medical Center (“FPS”) writes to notify you of a recent event that may affect the security of some of your information. Although there is no indication that your information has been misused in relation to this event, we are providing you with information about the event, our response to it, and what you may do to better protect your personal information, should you feel it appropriate to do so.

What Happened? On or about March 3, 2022, we learned that certain systems in our computer network had become encrypted with malware deployed by an unknown actor. In response, we launched an investigation to determine the full nature and scope of the event. The investigation determined that our systems were accessible to the unknown actor between February 28, 2022 and March 3, 2022. Although the investigation was unable to determine whether patient information stored in the impacted systems had actually been viewed or taken by the unauthorized actor, we could not rule out the possibility of such activity. Therefore, out of an abundance of caution, a thorough review of the patient information stored within the impacted systems was performed to locate address information for potentially affected individuals in order to provide accurate and complete notices. This review was completed by April 25, 2022.

What Information was Involved? The following types of patient information were present in the impacted systems during the event: full name, address, date of birth, driver’s license, medical information, including treatment and diagnosis information, and health insurance information. For a limited number of individuals, Social Security number may have also been present. However, we currently have no indication any information has been misused as a result of this event.

What We Are Doing. We take this event and the security of information in our care very seriously. Upon learning of this event, we immediately took steps to restore our operations and further secure our systems. As part of our ongoing commitment to the privacy of information in our care, we are reviewing our existing policies and procedures and implementing additional administrative and technical safeguards to further secure the information in our systems and reduce the risk of recurrence. Further, we reported this event to law enforcement and are notifying appropriate governmental regulators, including the U.S. Department of Health and Human Services.

What You Can Do. We encourage you to remain vigilant against incidents of identity theft and fraud by reviewing your account statements, explanations of benefits, and monitoring your credit reports for suspicious activity and to detect errors. Please review the enclosed Steps You Can Take to Help Protect Personal Information for useful information on what you can do to better protect against possible misuse of your information.

For More Information. If you have additional questions, you may call our dedicated assistance line at 877‐587‐4021 (toll free), Monday through Friday, 9 am to 9 pm Eastern Time, excluding U.S. holidays. You may also write to FPS at 297 S. Lake Havasu Avenue, Suite 204, Lake Havasu City, AZ 86403.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Console and Associates, P.C. | Attorney Advertising

Written by:

Console and Associates, P.C.
Console and Associates, P.C.
Contact
more
less

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide