A Letter From Ambucor Health Solutions To Cardiac Patients Of Stony Brook Internists

I am writing to inform you of an information security incident that Ambucor Health Solutions (“Ambucor”) recently experienced and to share with you the steps Ambucor is taking to address and resolve this issue. Ambucor has worked with Stony Brook Internists, University Faculty Practice Corporation (UFPC) to support your cardiac care. In connection with Ambucor’s work with Stony Brook Internists, UFPC, Ambucor had access to some of your information and to information about the cardiology services provided to you.

Ambucor has been investigating the activities of a former Ambucor employee, and that investigation has revealed that this former employee downloaded certain Stony Brook Internists, UFPC patient information to thumb drives and retained those drives on March 17, 2016 shortly before his employment at Ambucor ended. The former employee is currently incarcerated on unrelated charges. Ambucor has been working with federal law enforcement concerning this incident and has been cooperating fully in the ongoing investigation. As a result of those ongoing efforts, federal law enforcement authorities recently provided Ambucor with two thumb drives that this former employee turned over to them after his departure from Ambucor. On or about July 27, 2016, in connection with this investigation, Ambucor determined that the thumb drives contained Stony Brook Internists, UFPC patient data. However, it was not until September 2016 – when Ambucor completed a detailed review of the forensic and other data contained on the thumb drives – that we discovered that your personal information had been downloaded.

Please note that the thumb drives do NOT include your Social Security number, credit or debit card numbers, medical insurance or Medicare/Medicaid numbers, or other financial information, and no such information about you has been compromised.

This downloaded information may include your first and last name, phone number, diagnosis, medications, date of birth, race, home address, testing data (i.e., type of test, test results, date of test and whether testing was monthly or not), patient identification number, medical device information (i.e., manufacturer, identification number, and model/serial numbers), Ambucor enrollment number, Ambucor enrollment date, Ambucor technician name, physician name(s), and the name and address of the practice where you were seen.

As of this writing, Ambucor has received no information indicating that any of your personal information has been misused.

Nonetheless, out of an abundance of caution, Ambucor is offering you one year of identity protection services at no cost to you. Your year-long membership in CSID Protector coverage, provides you with increased visibility into possible fraudulent activity, access to a team of Identity Restoration Specialists to guide you through the recovery process if needed, and up to $1 million of identity theft insurance for covered expenses.

If you wish to enroll in CSID Protector, you will need to do the following:

  1. VISIT the secure CSID Protector website: https://www.csid.com/csid1yprotector/
  2. PROVIDE your Activation Code: <<CODE>>

Enrollment Deadline: January 15, 2017.

If you have any questions about the enrollment process, please contact CSID Member Services at (877) 926-1113, 24-hours a day, 7-days a week, or e-mail support@csid.com and provide your Activation Code as proof of eligibility.

In addition to the steps Ambucor has taken on your behalf, we have included with this letter additional information on steps you can take to protect the security of your personal information. We urge you to review this information carefully.

Please know that Ambucor takes the security of your personal information seriously, and we sincerely regret any inconvenience this incident might cause you. If you have any questions, you should call our dedicated call center at 866-313-7993.

Sincerely,

Stephen D. Deihl
Executive Director

Steps To Protect The Security Of Your Health Information

 

Medical identity theft is unlikely when health information without individual identifiers, such as Social Security number, health insurance number, or Medicaid number, is compromised, but taking the following steps could help reduce the risk of misuse.

  1. Review Your Billing Statements. You should carefully review the billing statements that you receive from healthcare providers for potentially fraudulent charges, such as charges for services that you did not receive, charges for office visits that you did not make, and charges for medical equipment that you did not receive.
  1. Remain Vigilant For Signs Of Suspicious Activity. If you notice any of the following signs of possible medical identity theft, contact the relevant health care provider or insurance company:
    • A call from a debt collector about a medical debt you don’t owe;
    • Medical collection notices on your credit report that you don’t recognize; or
    • A denial of insurance because your medical records show a condition you don’t have.
  1. Obtain Copies Of Your Medical Files. Federal law gives you the right to know what is in your medical records. If you suspect that your personal information has been misused, contact each doctor, clinic, hospital, pharmacy, laboratory, and location where a thief may have used your information. For example, if a thief got a prescription in your name, ask for records from the health care provider who wrote the prescription and the pharmacy that filled it. You may need to pay for copies of your records, but no more than the fee necessary for the provider to prepare and transmit the records. Check the records for errors. Each health care provider’s notice of privacy practices will provide you with additional information regarding how to submit an access request. You have the right to request a copy of the privacy notice at any time. 
  1. Correct Your Medical Records. If you discover upon reviewing copies of your medical records that any information is inaccurate, you have the right to request that the information be corrected. Write to your medical providers and explain which information is not accurate. Send copies of the documents that support your position. You can include a copy of your medical record and circle the disputed items. Ask the provider to correct or delete each error. Keep the original documents. The medical provider that made the mistakes in your files generally is required to change the information. If a medical provider will not make the changes you request, ask it to include a statement of your dispute in your record.