Vascular Surgical Associates

Questions and Answers Regarding Potential Breach of PHI

Q. What happened?

A. Vascular Surgical Associates was recently the victim of a hacking into our computer system that may have resulted in inappropriate access to certain information about patients.

Q. How did Vascular Surgical Associates find out?

A. Around September 13, 2016, Vascular Surgical Associates IT staff became aware of suspicious activity involving one of our computer servers. The concerns were reported to management and immediate action was taken to secure the server.

Q. Who did it?

A. An investigation of the suspicious activity on the compromised server determined that the hackers probably reside in countries other than the United States. The specific identify of the perpetrators has not been established, but we have requested the services of the FBI and we are hopeful that they will be able to identify those responsible.

Q. Whose fault is it?

A. In our regular and ongoing compliance with government regulations governing the confidentiality and integrity of electronic health information, we hired vendors with national reputations and significant client bases to support the computer system infrastructure we use to maintain our medical records. Their software has been certified by the United States Office of the National Coordinator for Health Information Technology.

A password that was created by one of these vendors and controlled by that vendor was used to access our system inappropriately. The perpetrators installed software on our system to prevent us from seeing the activity, but once that activity was identified by our internal IT staff, the system access was changed to prevent additional access using that password.

Based on our investigation and information we have obtained from law enforcement agencies, the access to our system was an illegal and intentional act of compromising our server conducted by some offshore perpetrators from a foreign location yet to be conclusively determined; however, we currently know that Internet addresses in Ghana, the People’s Republic of China, Russia, and other countries were used.

Q. Where is my confidential medical information now?

A. The information is in the same place with better “locks” (security controls and processes) and different “keys” (passwords). Our practice uses vendors with national reputations that service clients larger and smaller than our practice, and their software has been certified by the United States Office of the National Coordinator for Health Information Technology. They deal with such threats on a regular basis and we have confidence in them.

We don’t know if any of your medical information was exported from the system, but we don’t see any evidence of that happening. If our ongoing investigation reveals anything different, we will let you know.

Q. Should I be concerned about my personal accounts being compromised?

A. More and more consumer data is being stored on computers every day. Seventy percent of all Americans have been subject to at least one incident of identity theft. We think you should always be mindful of unusual activity involving your credit cards, bank accounts, credit reports, and other financial and personal identifying information. Even though we do our best to ensure that the data in our systems is always secure, bad people are trying to get that data from us and others every day. A determined burglar can break into the most secure house if he tries hard enough.

The information stored on the compromised server included medical records and demographic information such as dates of birth and addresses of our patients. This type of information, while personal, should not be sufficient to compromise your personal accounts.

Q. Am I in danger of identity theft?

A. We do not think that the breach of the server has put our patients in danger of identity theft. However, out of an abundance of caution, we are recommending that our patients take steps to monitor their financial accounts for a period of five years. The timeframe of five years is recommended by the FBI because professional criminals of this nature know that most companies that suffer a breach provide one or two years of credit monitoring, and such criminals now hold any information they steal until well after the one- or two-year time period ends.

Because the data set available to the perpetrators was limited, our experts tell us that the risk of identity theft is low; however, that does not mean that you should not be vigilant.

Q. What should I do to monitor my personal accounts for possible fraud?

A. It is important to carefully review all reports related to you. This includes credit reports, bank statements, explanation of benefit statements (EOBs), investment documents, etc. It is also suggested that you contact your bank to see what type of monitoring services they provide. Many banks provide customers online account access and the ability to set up alerts for account activity.

Q. What has Vascular Surgical Associates done to make sure this doesn't happen again?

A. Our internal IT team is monitoring computer events closely and continuing to investigate any suspicious events. We are fully cooperating with the external investigation being conducted at our request by the FBI. In addition, Vascular Surgical Associates has revised its protocols and added additional IT security services in an ongoing effort to stay ahead of the continual attacks of this nature that are being waged against all health care providers.

Q. Who can I talk to if I have questions?

A. If you still have questions or concerns, we have established a call center to personally address your concerns and answer your questions. Patients may contact the call center toll free at (800)-550-6616 between 9:00 a.m. and 5:00 p.m. Eastern time, Monday through Friday.

Contact Us

Why Choose Us?

  • The Highest Quality Vascular Care and Treatment Available
  • Surgical and Non-Surgical Solutions to Vascular Conditions
  • Patient Satisfaction Is Our Number One Priority
  • State-Of-The-Art Equipment and Technology and an Accredited Vascular Lab
  • Experience Expert Care from Highly-Trained Vascular Surgeons
  • 10 Board Certified Vascular Surgeons