January 21, 2021 – Lynn Community Health Center (“LCHC”) announced today that it is notifying patients of a recent data security incident that impacted the email account of a LCHC employee.
On November 25, 2020, LCHC learned that an unauthorized individual had gained access to the email account of one of its employees as a result of a phishing scheme. Phishing is when an outside party replicates an email from a trusted source and directs it to a third party prompting the third-party recipient to respond as a means to gain unauthorized access to the email account of the recipient.
Upon learning of the incident, LCHC promptly secured the impacted email account to prevent further access and immediately launched an investigation. In doing so, LCHC immediately engaged independent digital forensics experts to determine the scope and extent of the potential unauthorized access to LCHC’s email system and to search for any personal information in the impacted account. LCHC has reason to believe that the phishing efforts were limited to no more than four individual email accounts and was effectively thwarted the same day.
The investigation is ongoing, but LCHC has learned that the personal information of current and former patients, including the names and one or more of the following identifiers, was contained in the affected email account and, therefore, potentially accessible to the unauthorized individual: date of birth, mailing address, phone number, insurance information, medical record number, diagnoses and other clinical information, and for certain patients, Social Security number.
At this time, LCHC has no indication that personal information was collected or misused. LCHC has begun notifying patients whose personal information was contained in the impacted email account and providing information about potential measures those patients can take to monitor and/or protect their information. Patients whose Social Security numbers may have potentially been impacted received an offer for complimentary credit monitoring and identity theft protection services.
LCHC encourages its patients to remain vigilant to the possibility of fraud and identity theft by reviewing credit card, bank, and other financial statements, as well as claims made using their insurance for any unauthorized activity. If individuals detect any suspicious activity, they should notify the entity with which the account is maintained, and promptly report the suspicious activity to appropriate law enforcement authorities, including the police and the state attorney general. In addition, anyone looking for information on fraud prevention can review tips provided by the FTC at www.ftc.gov/idtheft.
LCHC continues to take the security and privacy of personal information very seriously and is taking steps to prevent a similar event from occurring in the future. These steps include implementing additional safeguards and security measures to heighten security of personal information, reinforcing existing information security procedures with employees, and revising information protocols.
Should patients have any questions regarding this incident, they may leave a message at 781-715-6226 with their contact information, and we will return the call as soon as possible during the week (Monday-Friday).