Notice of Email Cybersecurity Incident
Notice to Our Patients of Email Security Incident
At Overlake Medical Center & Clinics (“Overlake”), we are committed to protecting the confidentiality and security of our patients’ information. Regrettably, this notice concerns an incident involving unauthorized access to an Overlake email account, which may have involved some patient information. While Overlake has no indication that any patient information has been misused, this notice explains the incident, outlines the measures we have taken in response, and offers steps patients can take as a precaution.
What Happened? On June 14, 2022, we learned that an unidentified third party obtained the login credentials for one Overlake staff member’s email account. Because Overlake has a comprehensive information security (IS) program, we were able to identify and quickly respond to the issue and within hours secured the account and immediately began an investigation. The investigation determined that the third party had access to the staff member’s email between June 13 and June 14, 2022. Our investigation cannot rule out the possibility that the third party accessed some information stored in the email account.
What Information Was Involved? The emails may have contained patients’ names and one or more of the following: date of birth, medical record number, patient account number, health insurance information, date(s) of service, treatment cost information, and limited health information related to billing (such as diagnosis codes and treatment information). Social Security numbers and financial account information were not included. No other Overlake information systems or applications were affected by this incident, and Overlake’s security protocols prevented the third party from gaining additional access. This incident affected only a small percentage of Overlake patients.
What We Are Doing & What You Can Do. We have no reason to believe, at this time, that any patient information stored in the affected email account has been misused as a result of this incident. However, in an abundance of caution, beginning August 12, 2022, we are mailing notification letters to affected patients. We also have established a dedicated call center regarding this specific matter that affected individuals can contact for more information, available at 1-855-544-2842, from 6 a.m. to 3:30 p.m. Pacific time, Monday through Friday. Overlake also recommends patients review statements they receive from their healthcare providers and health insurer, and report any inaccuracies to the provider or insurer immediately.
We sincerely regret any concern this incident may cause. Overlake has a robust information security program that strives to always protect the privacy and security of our patients’ and employees’ information. Overlake has and will continue to take steps to mitigate this incident and help prevent something like this from happening again, including continuing comprehensive training for staff members.