HIPAA Breach Notification
Notification of Data Security Incident
11/6/24 – On or around July 29, 2024, Universal Health Corporation (“UHC”) became aware of potential unauthorized access to certain employee email accounts. Upon discovery, we immediately performed password resets for the affected accounts and swiftly engaged a third-party team of forensic investigators in order to determine the full nature and scope of the incident. On September 24, 2024, following a thorough investigation, UHC discovered that a limited amount of Protected Health Information (“PHI”) may have been accessed by an unauthorized third party in connection with this incident.
Although the forensic investigation could not rule out the possibility that an unknown actor may have accessed certain PHI, there is no indication whatsoever that any information has been misused. The type of information that could have been accessed by the unauthorized actor(s) included patient name, address, date of birth, Social Security number, driver’s license number, financial account number, medical record number, patient ID number, Medicare/Medicaid number, health insurance information, medical diagnosis and treatment information, prescription information, medical treatment location, medical treatment date, healthcare provider name, and medical lab or test result. Importantly, the information potentially impacted may vary for each individual, and may include all, or just one, of the above-listed types of information.
UHC promptly notified potentially affected individuals as quickly as possible via U.S. mail to their most recent address on file. In an abundance of caution, UHC has provided potentially impacted individuals with complimentary credit monitoring services. Additionally, in response to this incident, UHC has implemented additional security measures within its network and facilities and is reviewing its current policies and procedures related to data security. Although UHC has no evidence of actual misuse of information as a result of this incident, patients are nonetheless encouraged to monitor their account statements and explanation of benefits forms for suspicious activity and to detect errors. Patients may also wish to contact the three major credit agencies to place a fraud alert on their credit report – the credit agencies’ contact information is: Equifax (888-378-4329); TransUnion (833-395-6938); and Experian (888-397-3472).
UHC has established a hotline to answer questions about the incident and to address related concerns. The number for the hotline is 1-833-799-6444. You may also contact us by email compliance@uhealthpro.com, or by writing to 130 Church Avenue, Roanoke, Virginia 24011.
STEPS YOU CAN TAKE TO PROTECT YOUR INFORMATION
Monitor Your Accounts
We encourage you to remain vigilant against incidents of identity theft and fraud by reviewing your credit reports/account statements and explanation of benefits forms for suspicious activity and to detect errors. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit reporting bureaus, TransUnion, Experian, and Equifax. To order your free credit report, visit www.annualcreditreport.com or call 1-877-322-8228. Once you receive your credit report, review it for discrepancies and identify any accounts you did not open or inquiries from creditors that you did not authorize. If you have questions or notice incorrect information, contact the credit reporting bureau.
You have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a one-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any of the three credit reporting bureaus listed below.
As an alternative to a fraud alert, you have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without your express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a credit freeze may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report. To request a credit freeze, you will need to provide the following information:
- Full name (including middle initial as well as Jr., Sr., III, etc.);
- Social Security number;
- Date of birth;
- Address for the prior two to five years;
- Proof of current address, such as a current utility or telephone bill;
- A legible photocopy of a government-issued identification card (e.g., state driver’s license or identification card); and
- A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft, if you are a victim of identity theft.
Should you wish to place a fraud alert or credit freeze, please contact the three major credit reporting bureaus listed below:
TransUnion 1-800-680-7289 www.transunion.com TransUnion Fraud Alert TransUnion Credit Freeze |
Experian 1-888-397-3742 www.experian.com Experian Fraud Alert Experian Credit Freeze |
Equifax 1-888-298-0045 www.equifax.com Equifax Fraud Alert Equifax Credit Freeze |