Notice of a Vendor Data Privacy Incident

Lexington Medical Center (LMC) (formerly known as Lexington Memorial Hospital) is proud to provide quality healthcare for our community and we are honored by the trust our patients place in us. We recognize an important part of that trust includes protecting the privacy and security of patient information, including when that information is maintained by our vendors. Unfortunately, we recently discovered that Healthgrades Operating Company, Inc. (Healthgrades), a vendor that previously provided services to LMC, had a security incident that involved some LMC patient information.

Healthgrades previously assisted LMC in educating patients and the community about health matters and services available at LMC. In order to provide those services, Healthgrades was provided some LMC information. On January 29, 2021, Healthgrades notified LMC that an unauthorized individual gained access to a Healthgrades archived server between October 16, 2020 and October 28, 2020. Healthgrades discovered that the impacted archived server included LMC patient information in some backup files from the time it provided services to LMC. 

As soon as we were notified by Healthgrades, we immediately took steps to understand the circumstances of what took place and the information impacted. The files involved in the incident included information from mid-2010 to mid-2011. To date, we have received no indication that any information involved in the incident has been misused.

To help prevent something like this from happening again, we have obtained assurances from Healthgrades that no LMC patient data remains on their systems. LMC has similarly reviewed its files and confirmed that no patient information is being sent to Healthgrades. Healthgrades also advised us that they have notified law enforcement of this incident and will cooperate with any follow up investigation.

Based on the information provided by Healthgrades, LMC determined that the information contained in the Healthgrades archived files involved in the incident varied by patient but may have included patient names, addresses, demographic and contact information, dates of birth, LMC medical record numbers, Social Security numbers, dates of service, patient type (e.g., outpatient), limited health information – such as treatment and billing codes and their descriptions (which, in some cases, may indicate a diagnosis), names of physicians and their specialties, guarantor names, insurance type, insurance providers and/or cost of treatment information. This incident was limited to the Healthgrades systems only and did not involve any LMC systems or electronic health records. 

We care about the privacy and security of our patients’ information and take this matter very seriously. We mailed letters regarding the incident to the patients whose information was involved on March 26, 2021. Patients whose information was involved are being offered complimentary identity or credit monitoring services. Information about the services, including instructions about how to enroll, are in the notification letters. 

We have also established a dedicated call center to answer any questions our patients may have about this incident. For more information, it can be contacted at 1-855-660-1531, Monday through Friday, from 9am to 6:30 pm Eastern Time. 

We are very sorry for any concern or inconvenience this incident may cause. For patients whose information was involved in the incident, we recommend you review the statements you receive from your healthcare providers. If you see services you did not receive, please contact the provider immediately.

Additional Steps You Can Take

We remind you it is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:

If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows:

  • Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue NW, Washington, DC 20580, 1-877-IDTHEFT (438-4338), www.ftc.gov/idtheft

Fraud Alerts and Credit or Security Freezes:

 

Fraud Alerts: There are two types of general fraud alerts you can place on your credit report to put your creditors on notice that you may be a victim of fraud—an initial alert and an extended alert. You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An initial fraud alert stays on your credit report for one year. You may have an extended alert placed on your credit report if you have already been a victim of identity theft with the appropriate documentary proof. An extended fraud alert stays on your credit report for seven years.

To place a fraud alert on your credit reports, contact one of the nationwide credit bureaus. A fraud alert is free. The credit bureau you contact must tell the other two, and all three will place an alert on their versions of your report.

For those in the military who want to protect their credit while deployed, an Active Duty Military Fraud Alert lasts for one year and can be renewed for the length of your deployment. The credit bureaus will also take you off their marketing lists for pre-screened credit card offers for two years, unless you ask them not to.

Credit or Security Freezes: You have the right to put a credit freeze, also known as a security freeze, on your credit file, free of charge, which makes it more difficult for identity thieves to open new accounts in your name. That’s because most creditors need to see your credit report before they approve a new account. If they can’t see your report, they may not extend the credit.

How do I place a freeze on my credit reports? There is no fee to place or lift a security freeze. Unlike a fraud alert, you must separately place a security freeze on your credit file at each credit reporting company. For information and instructions to place a security freeze, contact each of the credit reporting agencies at the addresses below:

You'll need to supply your name, address, date of birth, Social Security number and other personal information.

After receiving your freeze request, each credit bureau will provide you with a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.

How do I lift a freeze? A freeze remains in place until you ask the credit bureau to temporarily lift it or remove it altogether. If the request is made online or by phone, a credit bureau must lift a freeze within one hour. If the request is made by mail, then the bureau must lift the freeze no later than three business days after getting your request.

If you opt for a temporary lift because you are applying for credit or a job, and you can find out which credit bureau the business will contact for your file, you can save some time by lifting the freeze only at that particular credit bureau. Otherwise, you need to make the request with all three credit bureaus.