Four Winds Westchester - Breach Of Protected Health Information

Maintaining the safety of information about our patients is a top priority of Four Winds Hospital. In that regard, we are notifying you about a data security incident. This incident may have impacted certain personal information of patients.

What happened? In September 2020, Four Winds Hospital in Katonah was the victim of a ransomware attack that prevented the Hospital from accessing its computer systems. We learned of the attack on September 1st and we were not able to access our computer networks for two weeks.

How did the Hospital secure patient data? We immediately notified NYS and federal law enforcement agencies which began an investigation of the incident and the cybercriminals behind it. We quickly locked-out the cybercriminals from continuing to access our systems. We also engaged cybersecurity experts to assist us in responding to the attack and help us to determine what, if any, patient data was impacted. They obtained evidence that the cybercriminals deleted any files in their possession, although that evidence cannot be independently verified. The Hospital has taken steps to prevent a reoccurrence.

What information was involved? Our forensic investigation determined that encrypted data fields, email, and any information in cloud based and encrypted programs were NOT accessed by the cybercriminals. The patient electronic medical record system was NOT accessed. The cybercriminals were able to access password protected data files. We then conducted a file-by-file search to determine whether those files contained any personal patient information. That search revealed that some files that could have been accessed during the time the cybercriminals retained possession of them included: lists of patients from 1983 to the present by name and medical record number; a small subset of patient lists (approximately 100 records) that also contained a patient’s social security number; some files dating back to 2013 that contained miscellaneous documents that included limited patient treatment information; and the social security number of patients who were Medicare members admitted earlier than 2019 during the time that Medicare cards displayed that number.

What can you do? To protect yourself from the possibility of identity theft, you can place a fraud alert on your credit files. A fraud alert conveys a special message to anyone requesting your credit report that you suspect you were a victim of fraud. When you or someone else attempts to open a credit account in your name, the lender should take measures to verify that you have authorized the request. A fraud alert should not stop you from using your existing credit cards or other accounts, but it may slow down your ability to get new credit. An initial fraud alert is valid for ninety (90) days. To place a fraud alert on your credit reports, contact one of the three major credit reporting agencies at the appropriate number listed below or via their website. One agency will notify the other two on your behalf. You will then receive letters from the agencies with instructions on how to obtain a free copy of your credit report from each of them.

• Equifax (888)766-0008 or www.fraudalert.equifax.com
• Experian (888) 397-3742 or www.experian.com
• TransUnion (800) 680-7289 or www.transunion.com

You may obtain a free copy of your credit report once every 12 months by visiting www.annualcreditreport.com, calling toll-free 877-322-8228 or by completing an Annual Credit Request Form at:www.ftc.gov/bcp/menus/consumer/credit/rights.shtm and mailing to:
Annual Credit Report Request Service
P.O. Box 1025281
Atlanta, GA 30348-5283

For more information on “identity theft” you can visit the following websites:
NYS Department of Consumer Protection: http://www/dos.ny.gov/consumerprotection
NYS Attorney General: https://ag.ny.gov/internet/data-breach
Federal Trade Commission: www.ftc.gov/bcp/edu/microsites/idtheft/

Please know that we are doing everything we can to protect the further breach of patient information. If at any point you discover that your Protected Health Information has been used inappropriately, please notify us and we will work with you to make sure the proper authorities are involved.

We deeply regret that the Hospital was a victim of a ransomware attack and apologize for any concern or inconvenience you may experience from this notification. If you have any questions about this incident please contact Monica Broderick, Privacy Officer, at 1-800-546-1775, ext. 2769.

Moira Morrissey
Chief Executive Officer