Notice of Data Security Incident - Shields Health Care Group
Shields Health Care Group, Inc. (“Shields”) recently became aware of suspicious activity on its network. Shields provides management and imaging services on behalf of the health care facilities (“Facility Partners”) listed below. With the assistance of third-party forensic specialists, we took immediate steps to contain the incident and to investigate the nature and scope of the incident. Shields is issuing this notice on behalf of itself and the Facility Partners to communicate what is known about the incident, our response, and steps impacted individuals can take, if deemed appropriate. Certain patients of these Facility Partners may be impacted.
What Happened? On March 28, 2022, Shields was alerted to suspicious activity that may have involved data compromise. Shields immediately launched an investigation into this issue and worked with subject matter specialists to determine the full nature and scope of the event.
This investigation determined that an unknown actor gained access to certain Shields systems from March 7, 2022 to March 21, 2022. Furthermore, the investigation revealed that certain data was acquired by the unknown actor within that time frame. Although Shields had identified and investigated a security alert on or around March 18, 2022, data theft was not confirmed at that time.
What Information Was Involved? To date, we have no evidence to indicate that any information from this incident was used to commit identity theft or fraud. However, the type of information that was or may have been impacted could include one or more of the following: Full name, Social Security number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information. Shields review of the impacted data is ongoing.
What Are We Doing? Shields takes the confidentiality, privacy, and security of information in our care seriously. Upon discovery, we took steps to secure our systems, including rebuilding certain systems, and conducted a thorough investigation to confirm the nature and scope of the activity and to determine who may be affected. Additionally, while we have safeguards in place to protect data in our care, we continue to review and further enhance these protections as part of our ongoing commitment to data security.
We have notified federal law enforcement, and will be reporting this incident to relevant state and federal regulators. Further, once we complete the review of the impacted data, we will directly notify impacted individuals where possible so that they may take further steps to help protect their information, should they feel it is appropriate to do so.
What Can Affected Individuals Do? While we have no evidence to indicate identity theft or fraud occurred as a result of this incident, we encourage impacted individuals to review Steps You Can Take to Help Protect Your Information, which is included below.
For More Information. We understand you may have additional questions concerning this incident. Individuals can direct questions to (855) 503-3386. The call center hours will be 8:00am-5:30pm Central Time, Monday through Friday, excluding major U.S. holidays.
Steps You Can Take to Help Protect Your Information
Monitor Your Accounts
Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also directly contact the three major credit reporting bureaus listed below to request a free copy of your credit report.
Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the three major credit reporting bureaus listed below.
As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a credit freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report. To request a security freeze, you will need to provide the following information:
Full name (including middle initial as well as Jr., Sr., II, III, etc.);
Social Security number;
Date of birth;
Addresses for the prior two to five years;
Proof of current address, such as a current utility bill or telephone bill;
A legible photocopy of a government-issued identification card (state driver’s license or ID card, etc.); and
A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if you are a victim of identity theft.
Should you wish to place a credit freeze, please contact the three major credit reporting bureaus listed below:
Equifax Experian TransUnion
https://www.equifax.com/personal/credit-report-services/ https://www.experian.com/help/ https://www.transunion.com/credit-help
1-888-298-0045 1-888-397-3742 1-833-395-6938
Equifax Fraud Alert, P.O. Box 105069 Atlanta, GA 30348-5069 Experian Fraud Alert, P.O. Box 9554, Allen, TX 75013 TransUnion Fraud Alert, P.O. Box 2000, Chester, PA 19016
Equifax Credit Freeze, P.O. Box 105788 Atlanta, GA 30348-5788 Experian Credit Freeze, P.O. Box 9554, Allen, TX 75013 TransUnion Credit Freeze, P.O. Box 160, Woodlyn, PA 19094
Additional Information
You may further educate yourself regarding identity theft, fraud alerts, credit freezes, and the steps you can take to protect your personal information by contacting the consumer reporting bureaus, the Federal Trade Commission, or your state Attorney General. The Federal Trade Commission may be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above. You have the right to file a police report if you ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and your state Attorney General. This notice has not been delayed by law enforcement.
For District of Columbia residents, the District of Columbia Attorney General may be contacted at: 400 6th Street, NW, Washington, DC 20001; 202-727-3400; and [email protected].
For Maryland residents, the Maryland Attorney General may be contacted at: 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; 1-410-528-8662 or 1-888-743-0023; and www.oag.state.md.us.
For New Mexico residents, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting bureaus must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to be provided to employers; you may limit “prescreened” offers of credit and insurance you get based on information in your credit report; and you may seek damages from violator. You may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage you to review your rights pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf, or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.
For New York residents, the New York Attorney General may be contacted at: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; 1-800-771-7755; or https://ag.ny.gov/.
For North Carolina residents, the North Carolina Attorney General may be contacted at: 9001 Mail Service Center, Raleigh, NC 27699-9001; 1-877-566-7226 or 1-919-716-6000; and www.ncdoj.gov.
For Rhode Island residents, the Rhode Island Attorney General may be reached at: 150 South Main Street, Providence, RI 02903; www.riag.ri.gov; and 1-401-274-4400. The number of Rhode Island residents impacted is not currently confirmed. Under Rhode Island law, you have the right to obtain any police report filed in regard to this incident.
Facility Partners
*Facilities / Entity
Baystate Health Urgent Care, LLC
Baystate MRI & Imaging Center, LLC
Brighton Imaging Center, LLC
Cape Cod CT Services, LLC
Cape Cod Imaging Services, LLC (a business associate to Falmouth Hospital Association, Inc)
Cape Cod PET/CT Services, LLC
Cape Cod Radiation Therapy Service, LLC
Central Maine Medical Center
Emerson Hospital
Fall River/New Bedford Regional MRI Limited Partnership
Falmouth Hospital Association, Inc.
Franklin MRI Center, LLC
Lahey Clinic MRI Services, LLC
Massachusetts Bay MRI Limited Partnership
Mercy Imaging, Inc.
MRI/CT of Providence, LLC
Newton-Wellesley MRI Limited Partnership
NW Imaging Management Company, LLC (a business associate to Newton Wellesley Orthopedic Associates, Inc.)
Newton-Wellesley Imaging, PC
Newton Wellesley Orthopedic Associates, Inc.
Northern MASS MRI Services, Inc.
PET-CT Services by Tufts Medical Center and Shields, LLC
Shields and Sports Medicine Atlantic Imaging Management Co, LLC (a business associate SportsMedicine Atlantic Orthopaedics P.A.)
Shields CT of Brockton, LLC
Shields Imaging at Anna Jaques Hospital, LLC
Shields Healthcare of Cambridge, Inc.
Shields Imaging at University Hospital, LLC
Shields Imaging at York Hospital, LLC
Shields Imaging Management at Emerson Hospital, LLC (a business associate to Emerson Hospital)
Shields Imaging of Eastern Mass, LLC
Shields Imaging of Lowell General Hospital, LLC
Shields Imaging of Portsmouth, LLC
Shields Imaging with Central Maine Health, LLC (a business associate to Central Maine Medical Center)
Shields Management Company, Inc.
Shields MRI & Imaging Center of Cape Cod, LLC
Shields MRI of Framingham, LLC
Shields PET/CT at CMMC, LLC
Shields PET_CT at Berkshire Medical Center, LLC
Shields PET-CT at Cooley Dickinson Hospital, LLC
Shields PET-CT at Emerson Hospital, LLC
Shields Radiology Associates, PC
Shields Signature Imaging, LLC
Shields Sturdy PET-CT, LLC
Shields-Tufts Medical Center Imaging Management, LLC (a business associate to Tufts Medical Center, Inc.)
South Shore Regional MRI Limited Partnership
Southeastern Massachusetts Regional MRI Limited Partnership
SportsMedicine Atlantic Orthopaedics P.A.
Tufts Medical Center, Inc.
UMass Memorial HealthAlliance MRI Center, LLC
UMass Memorial MRI – Marlborough, LLC
UMass Memorial MRI & Imaging Center, LLC
Winchester Hospital / Shields MRI, LLC
Radiation Therapy of Southeastern Massachusetts, LLC
Radiation Therapy of Winchester, LLC
South Suburban Oncology Center Limited Partnership
Shields Imaging of North Shore, LLC
What Happened? On March 28, 2022, Shields was alerted to suspicious activity that may have involved data compromise. Shields immediately launched an investigation into this issue and worked with subject matter specialists to determine the full nature and scope of the event.
This investigation determined that an unknown actor gained access to certain Shields systems from March 7, 2022 to March 21, 2022. Furthermore, the investigation revealed that certain data was acquired by the unknown actor within that time frame. Although Shields had identified and investigated a security alert on or around March 18, 2022, data theft was not confirmed at that time.
What Information Was Involved? To date, we have no evidence to indicate that any information from this incident was used to commit identity theft or fraud. However, the type of information that was or may have been impacted could include one or more of the following: Full name, Social Security number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information. Shields review of the impacted data is ongoing.
What Are We Doing? Shields takes the confidentiality, privacy, and security of information in our care seriously. Upon discovery, we took steps to secure our systems, including rebuilding certain systems, and conducted a thorough investigation to confirm the nature and scope of the activity and to determine who may be affected. Additionally, while we have safeguards in place to protect data in our care, we continue to review and further enhance these protections as part of our ongoing commitment to data security.
We have notified federal law enforcement, and will be reporting this incident to relevant state and federal regulators. Further, once we complete the review of the impacted data, we will directly notify impacted individuals where possible so that they may take further steps to help protect their information, should they feel it is appropriate to do so.
What Can Affected Individuals Do? While we have no evidence to indicate identity theft or fraud occurred as a result of this incident, we encourage impacted individuals to review Steps You Can Take to Help Protect Your Information, which is included below.
For More Information. We understand you may have additional questions concerning this incident. Individuals can direct questions to (855) 503-3386. The call center hours will be 8:00am-5:30pm Central Time, Monday through Friday, excluding major U.S. holidays.
Steps You Can Take to Help Protect Your Information
Monitor Your Accounts
Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also directly contact the three major credit reporting bureaus listed below to request a free copy of your credit report.
Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the three major credit reporting bureaus listed below.
As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a credit freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report. To request a security freeze, you will need to provide the following information:
Full name (including middle initial as well as Jr., Sr., II, III, etc.);
Social Security number;
Date of birth;
Addresses for the prior two to five years;
Proof of current address, such as a current utility bill or telephone bill;
A legible photocopy of a government-issued identification card (state driver’s license or ID card, etc.); and
A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if you are a victim of identity theft.
Should you wish to place a credit freeze, please contact the three major credit reporting bureaus listed below:
Equifax Experian TransUnion
https://www.equifax.com/personal/credit-report-services/ https://www.experian.com/help/ https://www.transunion.com/credit-help
1-888-298-0045 1-888-397-3742 1-833-395-6938
Equifax Fraud Alert, P.O. Box 105069 Atlanta, GA 30348-5069 Experian Fraud Alert, P.O. Box 9554, Allen, TX 75013 TransUnion Fraud Alert, P.O. Box 2000, Chester, PA 19016
Equifax Credit Freeze, P.O. Box 105788 Atlanta, GA 30348-5788 Experian Credit Freeze, P.O. Box 9554, Allen, TX 75013 TransUnion Credit Freeze, P.O. Box 160, Woodlyn, PA 19094
Additional Information
You may further educate yourself regarding identity theft, fraud alerts, credit freezes, and the steps you can take to protect your personal information by contacting the consumer reporting bureaus, the Federal Trade Commission, or your state Attorney General. The Federal Trade Commission may be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above. You have the right to file a police report if you ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and your state Attorney General. This notice has not been delayed by law enforcement.
For District of Columbia residents, the District of Columbia Attorney General may be contacted at: 400 6th Street, NW, Washington, DC 20001; 202-727-3400; and [email protected].
For Maryland residents, the Maryland Attorney General may be contacted at: 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; 1-410-528-8662 or 1-888-743-0023; and www.oag.state.md.us.
For New Mexico residents, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting bureaus must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to be provided to employers; you may limit “prescreened” offers of credit and insurance you get based on information in your credit report; and you may seek damages from violator. You may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage you to review your rights pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf, or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.
For New York residents, the New York Attorney General may be contacted at: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; 1-800-771-7755; or https://ag.ny.gov/.
For North Carolina residents, the North Carolina Attorney General may be contacted at: 9001 Mail Service Center, Raleigh, NC 27699-9001; 1-877-566-7226 or 1-919-716-6000; and www.ncdoj.gov.
For Rhode Island residents, the Rhode Island Attorney General may be reached at: 150 South Main Street, Providence, RI 02903; www.riag.ri.gov; and 1-401-274-4400. The number of Rhode Island residents impacted is not currently confirmed. Under Rhode Island law, you have the right to obtain any police report filed in regard to this incident.
Facility Partners
*Facilities / Entity
Baystate Health Urgent Care, LLC
Baystate MRI & Imaging Center, LLC
Brighton Imaging Center, LLC
Cape Cod CT Services, LLC
Cape Cod Imaging Services, LLC (a business associate to Falmouth Hospital Association, Inc)
Cape Cod PET/CT Services, LLC
Cape Cod Radiation Therapy Service, LLC
Central Maine Medical Center
Emerson Hospital
Fall River/New Bedford Regional MRI Limited Partnership
Falmouth Hospital Association, Inc.
Franklin MRI Center, LLC
Lahey Clinic MRI Services, LLC
Massachusetts Bay MRI Limited Partnership
Mercy Imaging, Inc.
MRI/CT of Providence, LLC
Newton-Wellesley MRI Limited Partnership
NW Imaging Management Company, LLC (a business associate to Newton Wellesley Orthopedic Associates, Inc.)
Newton-Wellesley Imaging, PC
Newton Wellesley Orthopedic Associates, Inc.
Northern MASS MRI Services, Inc.
PET-CT Services by Tufts Medical Center and Shields, LLC
Shields and Sports Medicine Atlantic Imaging Management Co, LLC (a business associate SportsMedicine Atlantic Orthopaedics P.A.)
Shields CT of Brockton, LLC
Shields Imaging at Anna Jaques Hospital, LLC
Shields Healthcare of Cambridge, Inc.
Shields Imaging at University Hospital, LLC
Shields Imaging at York Hospital, LLC
Shields Imaging Management at Emerson Hospital, LLC (a business associate to Emerson Hospital)
Shields Imaging of Eastern Mass, LLC
Shields Imaging of Lowell General Hospital, LLC
Shields Imaging of Portsmouth, LLC
Shields Imaging with Central Maine Health, LLC (a business associate to Central Maine Medical Center)
Shields Management Company, Inc.
Shields MRI & Imaging Center of Cape Cod, LLC
Shields MRI of Framingham, LLC
Shields PET/CT at CMMC, LLC
Shields PET_CT at Berkshire Medical Center, LLC
Shields PET-CT at Cooley Dickinson Hospital, LLC
Shields PET-CT at Emerson Hospital, LLC
Shields Radiology Associates, PC
Shields Signature Imaging, LLC
Shields Sturdy PET-CT, LLC
Shields-Tufts Medical Center Imaging Management, LLC (a business associate to Tufts Medical Center, Inc.)
South Shore Regional MRI Limited Partnership
Southeastern Massachusetts Regional MRI Limited Partnership
SportsMedicine Atlantic Orthopaedics P.A.
Tufts Medical Center, Inc.
UMass Memorial HealthAlliance MRI Center, LLC
UMass Memorial MRI – Marlborough, LLC
UMass Memorial MRI & Imaging Center, LLC
Winchester Hospital / Shields MRI, LLC
Radiation Therapy of Southeastern Massachusetts, LLC
Radiation Therapy of Winchester, LLC
South Suburban Oncology Center Limited Partnership
Shields Imaging of North Shore, LLC