December 5, 2022, Mississippi Sports Medicine and Orthopaedic Center (“MSMOC”) is providing an update regarding a data security event that may have compromised the information of some patients. As a trusted provider committed to the well-being of our patients, including those seeking specialized care from our Sports Medicine Doctors, we understand the importance of transparency and are sharing details about this incident, the actions we have taken, and guidance for potentially affected individuals to safeguard themselves against potential identity theft or fraud.
What Happened?
On March 9, 2022, MSMOC detected unusual activity within our computer network, including the unauthorized encryption of certain data. We immediately initiated measures to secure our network and launched a comprehensive investigation with the support of external cybersecurity experts. Our goal was to fully understand the nature and scope of this incident and to restore all MSMOC operations as quickly as possible.
The investigation revealed that unauthorized access to our network occurred between March 3, 2022, and March 9, 2022. During this period, certain files within MSMOC’s network may have been viewed and/or accessed by an unauthorized actor. Furthermore, on March 11, 2022, we discovered that some patient records were inaccessible after our medical records system was restored from backup systems. To address this, our physicians and staff diligently worked to restore access to and recreate patient records using available information, including patient chart notes.
Following these immediate actions, we undertook a thorough and extensive review of the affected files to determine if sensitive information was present and to identify the patients who might be impacted by this event. This review has recently concluded, and we are now sending notification letters to potentially affected individuals.
Which Patients and What Information Was Affected?
The specific types of information potentially affected by this event vary for each individual and are detailed in the letters being sent to impacted patients. It is important to understand that not every patient was affected by this incident, and among those who were, the types of information involved differ. If you received a letter, please refer to the “What Information Was Involved?” section within it for details specific to you. If you have not received a letter but believe you might be affected, please contact our dedicated assistance line at the number provided in the “For More Information” section below.
The patient records that are currently inaccessible and unrecoverable are those created between February 28, 2022, and March 8, 2022. The types of records impacted may include, but are not limited to: physician and/or surgical notes, patient appointment records, X-ray, MRI, and/or surgical images, certain billing information, and prior authorization records.
The categories of patient-related information potentially compromised due to the unauthorized network activity include: name, Social Security number, address, telephone number, email address, date of birth, medical record number, health plan beneficiary number, signature, and medical and/or clinical information. This medical information may encompass diagnosis and treatment history, disability information, physician name, and health insurance details.
MSMOC’s Actions in Response
MSMOC is deeply committed to protecting the security of your information and takes this event extremely seriously. Upon discovering the incident, we acted immediately to restore our operational capabilities and enhance the security of our systems. As part of our ongoing dedication to safeguarding the privacy of personal information entrusted to us, we are currently reviewing our existing policies and procedures. We are also in the process of implementing additional administrative and technical safeguards to further strengthen the security of the information within our systems. We have also notified federal law enforcement and the U.S. Department of Health and Human Services about this event.
Steps Potentially Affected Individuals Can Take
MSMOC encourages all current and former patients who may have been affected to be vigilant against potential identity theft. We recommend carefully reviewing account statements and explanations of benefits for any unusual activity. Should you notice any suspicious activity, please report it immediately to your insurance company, healthcare provider, or financial institution. Further details and recommendations are available in the Steps You Can Take to Help Protect Your Information section below and in the notification letters sent to affected individuals.
For More Information
If you have any further questions or require additional information, please do not hesitate to call our assistance line at (800) 624-9168, available from 7:00 am CT to 5:00 pm CT, Monday through Friday. You can also reach us by mail at MSMOC, 1325 East Fortification St., Jackson, MS 39202, Attn: Compliance Officer.
STEPS YOU CAN TAKE TO HELP PROTECT YOUR INFORMATION
Monitor Your Accounts
Under U.S. law, you are entitled to receive one free credit report annually from each of the three major credit reporting agencies: Equifax, Experian, and TransUnion. To obtain your free credit reports, please visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You can also contact these credit reporting bureaus directly to request a complimentary copy of your credit report.
Consumers have the option to place either an initial or extended “fraud alert” on their credit file at no cost. An initial fraud alert remains on your credit file for one year. When a business sees a fraud alert on your credit file, they are required to take extra steps to verify your identity before granting new credit. If you are a victim of identity theft, you are eligible for an extended fraud alert, which lasts for seven years. To place a fraud alert, please contact any one of the three major credit reporting bureaus listed below.
Alternatively, you have the right to place a “credit freeze” on your credit report. This measure prevents a credit bureau from releasing information from your credit report without your explicit authorization. A credit freeze is designed to help prevent credit, loans, and services from being approved in your name without your consent. However, please be aware that using a credit freeze to manage access to your personal and financial information may potentially delay, interfere with, or prevent the timely approval of any future requests or applications for loans, credit, mortgages, or other accounts requiring credit extension. Federal law prohibits any charges for placing or lifting a credit freeze on your credit report. To request a security freeze, you will need to provide the following information:
- Full name (including middle initial and suffixes like Jr., Sr., II, III, etc.);
- Social Security number;
- Date of birth;
- Addresses for the past two to five years;
- Proof of your current address, such as a recent utility or telephone bill;
- A clear photocopy of a government-issued identification card (driver’s license, state ID, military ID, etc.); and
- If you are an identity theft victim, a copy of a police report, investigative report, or complaint filed with a law enforcement agency regarding the identity theft.
To place a fraud alert or credit freeze, please contact the three major credit reporting bureaus:
| EQUIFAX | EXPERIAN | TRANSUNION |
|---|---|---|
| https://www.equifax.com/personal/credit-report-services/ | https://www.experian.com/help/ | https://www.transunion.com/credit-help |
| 1.888.298.0045 | 1.888.397.3742 | 1.833.395.6938 |
| Equifax Fraud Alert, P.O. Box 105069 Atlanta, GA 30348-5069 | Experian Fraud Alert, P.O. Box 9554, Allen, TX 75013 | TransUnion Fraud Alert, P.O. Box 2000, Chester, PA 19016 |
| Equifax Credit Freeze, P.O. Box 105788 Atlanta, GA 30348-5788 | Experian Credit Freeze, P.O. Box 9554, Allen, TX 75013 | TransUnion Credit Freeze, P.O. Box 160, Woodlyn, PA 19094 |
Additional Information Resources
You can further inform yourself about identity theft, fraud alerts, credit freezes, and the steps you can take to protect your personal information by contacting the consumer reporting bureaus, the Federal Trade Commission (FTC), or your state Attorney General.
The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The FTC also encourages individuals who discover their information has been misused to file a complaint with them. You can find more information on how to file a complaint through the contact details provided above.
You have the right to file a police report if you experience identity theft or fraud. Note that to file a police report for identity theft, you will likely need to provide some evidence that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and your state Attorney General. This notice was not delayed by law enforcement.
Contact Information for State Residents:
For Maryland residents, the Maryland Attorney General can be contacted at: 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; 1-410-528-8662 or 1-888-743-0023; and www.oag.state.md.us.
For New York residents, the New York Attorney General can be contacted at: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; 1-800-771-7755; or https://ag.ny.gov/.
For North Carolina residents, the North Carolina Attorney General can be contacted at: 9001 Mail Service Center, Raleigh, NC 27699-9001; 1-877-566-7226 or 1-919-716-6000; and www.ncdoj.gov.
