Netgain Data Security Incident
Community Health Systems, Inc. Patient Notice of Data Security Incident
Moreno Valley, CA: Tuesday, June 15, 2021 – Community Health Systems, Inc. recently learned of a data security incident experienced by Netgain Technology, LLC (“Netgain”), the IT service provider for Health Center Partners of Southern California (“HCP”). HCP supports community health centers in a variety of ways, including collaborative grant-funded programs and services for Community Health Systems, Inc. HCP has sent notification of this incident to potentially impacted individuals and has provided resources to assist them.
What Happened:
Netgain recently informed HCP that it had experienced a data security incident that involved systems containing HCP data. Upon its discovery of the incident, Netgain brought all of its systems offline and engaged outside cybersecurity experts to conduct an investigation and to assist in its mitigation, restoration, and remediation efforts. Once HCP learned of the incident, it engaged its own independent cybersecurity experts to determine what happened, whether any HCP data was compromised as a result of the incident, and the impact of this incident on HCP, its health center members and partners, including Community Health Systems, Inc., and their patients.
According to Netgain, in late September 2020, an unauthorized third party gained access to Netgain’s digital environment, and between October 22, 2020 to December 3, 2020, the unauthorized third party obtained certain files containing HCP data. Netgain stated that it paid an undisclosed amount to the attacker in exchange for assurances that the attacker will delete all copies of this data and that it will not publish, sell, or otherwise disclose the data. In addition, Netgain’s cybersecurity experts conducted regular dark web scans for the impacted files, but such searches have not yielded any indications that the data involved in this incident has been or will be published, sold, offered for sale, or otherwise disclosed. Accordingly, there is no reason to believe that any information involved in the incident has been or will be misused.
Once HCP learned that its data may have been involved in the incident, HCP took steps to identify the individuals whose information was contained in such files and their current mailing addresses in order to provide notification. On March 25, 2021, HCP informed Community Health Systems, Inc. that information relating to some of our patients was contained in the impacted files. Again, we are not aware of any misuse of your personal information as a result of this incident. Nevertheless, out of an abundance of caution, HCP and Community Health Systems, Inc. worked together to send notification letters to potentially impacted patients on April 8, 2021.
What Information Was Involved:
The information contained in the impacted files vary depending on the individual but may include the following: name, address, date of birth, Social Security number, diagnosis/treatment information, prescription information, provider name, medical record number, Medicare/Medicaid number, health insurance policy/member number, and treatment cost information.
What We Are Doing:
HCP worked with Netgain to confirm that it was taking steps to ensure that the information at issue was not being misused and that it has implemented additional measures to enhance the security of its digital environment in an effort to minimize the likelihood of a similar event from occurring in the future. Furthermore, HCP reported the incident to law enforcement agencies, including the Federal Bureau of Investigation; HCP and Community Health Systems, Inc. are committed to assisting their investigation into the matter.
What You Can Do:
The notification letters that were sent to potentially affected individuals include resources and steps that they can take to help protect their personal and protected health information. HCP and Community Health Systems, Inc. have established a toll free call center to answer questions about the incident and to address any concerns. Call center representatives are available Monday through Friday from 6:00 a.m. to 6:00 p.m. Pacific Time and can be reached at 1-833-416-0926.
The privacy and security of our patients’ personal and protected health information is Community Health Systems, Inc’s top priority, and we deeply regret any inconvenience or concern this incident may cause.
While Community Health Systems, Inc. has no evidence of the misuse of any potentially affected individuals’ information, we are providing the following information to help those who want to know more about steps they can take to protect themselves and their personal information:
What steps can I take to protect my personal information?
Please notify your financial institution immediately if you detect any suspicious activity on any of your accounts, including unauthorized transactions or new accounts opened in your name that you do not recognize. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities.
You can request a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies. To do so, free of charge once every 12 months, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting agencies is listed at the bottom of this page.
You can take steps recommended by the Federal Trade Commission to protect yourself from identity theft. The FTC’s website offers helpful information at www.ftc.gov/idtheft.
Additional information on what you can do to better protect yourself is included in your notification letter.