Albany, New York – February 14, 2020 –BST & Co. CPAs, LLP (“BST”), an accounting firm in the Albany area, announced today that it has taken action after learning of an incident in which an unknown third party gained access to part of its network. On this network was data for some of BST’s local clients to whom the company provides accounting and tax services, including the medical group, Community Care Physicians, P.C. (“CCP”). Out of an abundance of caution, BST is providing notice of this event to potentially impacted individuals, as well as certain regulators.
What happened? On December 7, 2019, BST learned that part of its network was infected with a virus that prohibited access to its files. BST quickly restored its systems and engaged an industry-leading forensic investigation firm to determine the nature and scope of this incident. After a thorough analysis of all available forensic evidence, the investigation determined the virus was active on BST’s network from December 4, 2019, to December 7, 2019. The virus was introduced by an unknown individual or individuals outside of BST who gained access to part of the network where certain client files are stored, including files from CCP.
Because of the risk that data may have been accessed, acquired, or otherwise disclosed from its network without authorization due to the virus, BST reviewed the files in detail to determine what, if any, personal health information they contained. By February 5, 2020, in conjunction with CCP, BST confirmed the files contained some personal information for certain individuals and ascertained the addresses of these patients to communicate the security incident to them directly.
What information may have been affected by this incident? The investigation determined that, as a result of this incident, certain personal or protected health information for individuals may have been accessed or acquired without authorization, including individuals’ names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions. Patient medical records and Social Security numbers were not impacted by this incident.
Although BST cannot confirm that any individual’s personal information was actually accessed, or viewed without permission, BST is providing this notice out of an abundance of caution and to mitigate risk to individuals.
How will individuals know if they are affected by this incident? BST mailed notice letters on February 14, 2020, to the patients of CCP for whom CCP had valid mailing addresses and whose protected information was contained within the files that may have been accessed or acquired by an unauthorized actor. We anticipate it will take five days for notified patients to receive this letter. If an individual does not receive a letter, but would like to know if he or she was potentially affected by this incident, the individual may call the hotline listed below.
What is BST doing? BST is committed to keeping the data it maintains as secure as possible. BST is taking steps to minimize the potential for unauthorized access to its environment and making reasonable efforts to ensure the continued security of the information in its care. It also offered the potentially impacted individuals access to complimentary credit monitoring services as an added precaution and to mitigate risk.
Who should individuals contact for more information? If individuals have questions or would like additional information, they may call BST’s dedicated assistance line at 866-977-0784 (toll free), Monday through Friday, 9:00 a.m. to 9:00 p.m., Eastern Time.
What can individuals do to protect their information? BST encourages individuals to remain vigilant and take steps to protect against possible identity theft or other financial loss by reviewing their account statements and Explanation of Benefits statements regularly and monitoring their credit reports for suspicious activity. Under U.S. law, individuals over the age of 18 are entitled to one free credit report annually from each of the three major credit bureaus. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report.
Individuals who believe they may be affected by this incident are encouraged to take additional action to further protect against possible identity theft or other financial loss. At no charge, individuals can also have the credit bureaus place a “fraud alert” on their credit file that alerts creditors to take additional steps to verify the individuals’ identities prior to granting credit in their name. Note, however, that because a fraud alert tells creditors to follow certain procedures to protect individuals, it may also delay individuals’ ability to obtain credit while the agency verifies their identity. As soon as one credit bureau confirms an individual’s fraud alert, the other credit bureaus are notified to place fraud alerts on the individual’s file. Should the individual wish to place a fraud alert, or should the individual have any questions regarding his or her credit report, the individual can contact any one of the agencies listed below.
|P.O. Box 105069||P.O. Box 2002||P.O. Box 2000|
|Atlanta, GA 30348||Allen, TX 75013||Chester, PA 19022|
Individuals may also place a security freeze on their credit reports. A security freeze prohibits a credit reporting agency from releasing any information from an individual’s credit report without thatindividual’s written authorization. However, individuals should be aware that placing a security freeze on their credit report may delay, interfere with, or prevent the timely approval of any requests they make for new loans, credit mortgages, employment, housing, or other services. Pursuant to federal law, individuals cannot be charged to place or lift a security freeze on their credit report. Individuals will need to place a security freeze separately with each of the three major credit bureaus listed above if those individuals wish to place the freeze on all of their credit files. In order to request a security freeze, individuals will need to supply their full names, addresses, dates of birth, Social Security numbers, current addresses, all addresses for up to five previous years, email addresses, a copy of their state identification cards or driver’s licenses, and a copy of a utility bill, bank or insurance statement, or other statement proving residence.
To find out more on how to place a security freeze, individuals can contact the credit reporting agencies using the information below:
Individuals can further educate themselves regarding identity theft, fraud alerts, and the steps they can take to protect themselves, by contacting the Federal Trade Commission or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, D.C. 20580, www.ftc.gov/idtheft/, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. Individuals can obtain further information on how to file such a complaint by way of the contact information listed above. Instances of known or suspected identity theft should also be reported to law enforcement. This notice has not been delayed by law enforcement.
For Maryland residents, the Attorney General can be contacted by mail at 200 St. Paul Place, Baltimore, MD, 21202; toll-free at 1-888-743-0023; by phone at (410) 576-6300; consumer hotline (410) 528-8662; and online at www.marylandattorneygeneral.gov. For New Mexico residents, they have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in their credit file has been used against them, the right to know what is in their credit file, the right to ask for their credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to New Mexico residents’ files is limited; they must give their consent for credit reports to be provided to employers; they may limit “prescreened” offers of credit and insurance they get based on information in their credit report; and they may seek damages from violators. They may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. BST encourages them to review their rights pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf, or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580. For New York Residents: The New York Attorney General provides resources regarding identity theft protection and security breach response at www.ag.ny.gov/internet/privacy-and-identity-theft. The New York Attorney General can be contacted by phone at 1-800-771-7755; toll-free at 1-800-788-9898; and online at www.ag.ny.gov. For North Carolina Residents: The North Carolina Attorney General can be contacted by mail at 9001 Mail Service Center, Raleigh, NC 27699-9001; toll-free at 1-877-566-7226; by phone at 1-919-716-6400, and online at www.ncdoj.gov. For Rhode Island Residents: The Rhode Island Attorney General can be reached at: 150 South Main Street, Providence, Rhode Island 02903, www.riag.ri.gov, 1-401-247-4400. Under Rhode Island law, individuals have the right to obtain any police report filed in regard to this incident.