San Diego, CA: April 8, 2021 – St. Vincent de Paul Village Family Health Center recently learned of a data security incident experienced by Netgain Technology, LLC (“Netgain”), the IT service provider for Health Center Partners of Southern California (“HCP”). HCP supports community health centers in a variety of ways, including collaborative grant-funded programs and services for St. Vincent de Paul Village Family Health Center. HCP has sent notification of this incident to potentially impacted individuals and has provided resources to assist them.
What Happened: Netgain recently informed HCP that it had experienced a data security incident that involved systems containing HCP data. Upon its discovery of the incident, Netgain brought all of its systems offline and engaged outside cybersecurity experts to conduct an investigation and to assist in its mitigation, restoration, and remediation efforts. Once HCP learned of the incident, it engaged its own independent cybersecurity experts to determine what happened, whether any HCP data was compromised as a result of the incident, and the impact of this incident on HCP, its health center partners, including St. Vincent de Paul Village Family Health Center, and their patients.
According to Netgain, in late September 2020, an unauthorized third party gained access to Netgain’s digital environment, and between October 22, 2020 to December 3, 2020, the unauthorized third party obtained certain files containing HCP data. Netgain stated that it paid an undisclosed amount to the attacker in exchange for assurances that the attacker will delete all copies of this data and that it will not publish, sell, or otherwise disclose the data. In addition, Netgain’s cybersecurity experts conducted regular dark web scans for the impacted files, but such searches have not yielded any indications that the data involved in this incident has been or will be published, sold, offered for sale, or otherwise disclosed. Accordingly, there is no reason to believe that any information involved in the incident has been or will be misused.
Once HCP learned that its data may have been involved in the incident, HCP took steps to identify the individuals whose information was contained in such files and their current mailing addresses in order to provide notification. On March 16, 2021, HCP informed St. Vincent de Paul Village Family Health Center that information relating to some of our patients was contained in the impacted files. Again, we are not aware of any misuse of your personal information as a result of this incident. Nevertheless, out of an abundance of caution, HCP and St. Vincent de Paul Village Family Health Center worked together to send notification letters to potentially impacted patients on April 8, 2021.
What Information Was Involved: The information contained in the impacted files vary depending on the individual but may include the following: name, address, date of birth, clinical information, provider name, medical record number, Medicare/Medicaid number, health insurance number, and treatment cost information. For a small subset of patients, their Social Security number and prescription information may have been contained in the impacted files.
What We Are Doing: HCP worked with Netgain to confirm that it was taking steps to ensure that the information at issue was not being misused and that it has implemented additional measures to enhance the security of its digital environment in an effort to minimize the likelihood of a similar event from occurring in the future. Furthermore, HCP reported the incident to law enforcement agencies, including the Federal Bureau of Investigation, and HCP and St. Vincent de Paul Village Family Health Center are committed to assisting their investigation into the matter.
What You Can Do: The notification letters that were sent to potentially affected individuals include resources and steps that they can take to help protect their personal and protected health information. HCP and St. Vincent de Paul Village Family Health Center have established a toll free call center to answer questions about the incident and to address any concerns. Call center representatives are available Monday through Friday from 6:00 a.m. to 6:00 p.m. Pacific Time and can be reached at 1-833-416-0926.
The privacy and security of our patients’ personal and protected health information is a top priority for St. Vincent de Paul Village Family Health Center, and we deeply regret any inconvenience or concern this incident may cause.
While St. Vincent de Paul Village Family Health Center has no evidence of the misuse of any potentially affected individuals’ information, it is providing the following information to help those who want to know more about steps they can take to protect themselves and their personal information:
What steps can I take to protect my personal information?
- Please notify your financial institution immediately if you detect any suspicious activity on any of your accounts, including unauthorized transactions or new accounts opened in your name that you do not recognize. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities.
- You can request a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies. To do so, free of charge once every 12 months, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting agencies is listed at the bottom of this page.
- You can take steps recommended by the Federal Trade Commission to protect yourself from identify theft. The FTC’s website offers helpful information at www.ftc.gov/idtheft.
- Additional information on what you can do to better protect yourself is included in your notification letter.
How do I obtain a copy of my credit report?
You may obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting http://www.annualcreditreport.com/, calling toll-free 877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You also can contact one of the following three national credit reporting agencies:
P.O. Box 1000
Chester, PA 19016
P.O. Box 2002
Allen, TX 75013
P.O. Box 740241
Atlanta, GA 30374
How do I put a fraud alert on my account?
You may want to consider placing a fraud alert on your credit report. An initial fraud alert is free and will stay on your credit file for one year. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact any of the three credit reporting agencies identified above. Additional information is available at http://www.annualcreditreport.com.
How do I put a security freeze on my credit reports?
You have the right to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans and services from being approved in your name without your consent. To place a security freeze on your credit report, you need to make a request to each consumer reporting agency. You may make that request by certified mail, overnight mail, or regular stamped mail, or online by following the instructions found at the websites listed below. You will need to provide the following information when requesting a security freeze (note that if you are making a request for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; and (4) address. You may also be asked to provide other personal information such as your email address, a copy of a government-issued identification card, and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. There is no charge to place, lift, or remove a freeze. You may obtain a security freeze by contacting any one or more of the following national consumer reporting agencies:
Equifax Security Freeze
PO Box 105788
Atlanta, GA 30348
Experian Security Freeze
PO Box 9554
Allen, TX 75013
PO Box 2000
Chester, PA 19022
What should I do if my family member’s information was involved in the incident and is deceased?
You may choose to notify the three major credit bureaus, Equifax, Experian and TransUnion, and request they flag the deceased credit file. This will prevent the credit file information from being used to open credit. To make this request, mail a copy of your family member’s death certificate to each company at the addresses below.
Equifax Information Services
P.O. Box 105169,
Atlanta, GA 30348
Experian Information Services
P.O. Box 9701
Allen, TX 75013
Trans Union Information Services
P.O. Box 2000
Chester, PA 19022
What should I do if my minor child’s information involved in the incident?
You can request that each of the three national credit reporting agencies perform a manual search for a minor’s Social Security number to determine if there is an associated credit report. Copies of identifying information for the minor and parent/guardian may be required, including birth or adoption certificate, Social Security card and government issued identification card. If a credit report exists, you should request a copy of the report and immediately report any fraudulent accounts to the credit reporting agency. You can also report any misuse of a minor’s information to the FTC at https://www.identitytheft.gov/. For more information about Child Identity Theft and instructions for requesting a manual Social Security number search, visit the FTC website: https://www.consumer.ftc.gov/articles/0040-child-identity-theft. Contact information for the three national credit reporting agencies may be found above.