Notification of Cybersecurity Incident | NewYork-Presbyterian Hospital
NewYork-Presbyterian Hospital Notification of Cybersecurity Incident
Date: November 11, 2022
Incident
On September 8, 2022, NewYork-Presbyterian Hospital’s data security monitors received an alert of suspicious activity on one of its servers, including possible attempts to download information by an unauthorized user. These attempts were successfully blocked and NYP’s Information Security Department began reviewing the matter.
As a result of its review, NYP later learned that an unauthorized third-party had used a cloud-based, remote information technology customer support program to gain access to the laptops of several of its workforce members, copying and removing desktop files from some of the devices. The threat actor did not access NYP’s patient portal but one of the compromised laptops contained protected health information of certain patients of NewYork-Presbyterian/Queens and NewYork-Presbyterian/ Hudson Valley.
Approximately twelve thousand (12,000) patients were affected. Information pertaining to those patients include first and last names, addresses, insurance authorizations, medical records numbers and exam results.
NYP’s Response
NYP is committed to protecting the privacy and security of its patients’ health information and has taken steps to prevent a similar incident from happening in the future. Accounts used for the technical assistance program were immediately suspended and the service was terminated without further incident. NYP confirmed there was no unauthorized access to NYP’s electronic medical records patient portal and none of its other data has been compromised.
As required by law, NYP is reporting this incident to the Department of Health and Human Services, Office for Civil Rights and to the Office of the Attorney General in New York State.
NYP is further offering credit monitoring and identity theft protection services through ID Experts for all impacted patients. ID Experts’ services include twelve (12) months of credit monitoring and fully managed identity theft recovery services. With this protection, ID Experts will notify and assist in resolving issues for those whose identity has been compromised as a result of this incident.
What You Can Do:
All potentially affected individuals can do the following:
Credit Report: Obtain a copy of your credit report, free of charge, whether or not you suspect any unauthorized activity on your account.
Security Freezes: You have the right to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans, and services from being approved in your name without your consent.
Fraud Alerts: Fraud alerts instruct creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts.
Monitoring: Remain vigilant and monitor your accounts for suspicious or unusual activity.
Contact Us
NYP has also established a call center with personnel available answer questions of those concerned that they may have been impacted. You can reach the center toll free Monday through Friday, from 8:00AM to 8:00PM eastern standard time, at 1-888-308-4435.
Additional Information
Credit Reports: You may obtain a copy of your credit report, free of charge, whether or not you suspect any unauthorized activity on your account. You may obtain a free copy of your credit report from each of the three nationwide credit reporting agencies. To order your free credit report, please visit www.annualcreditreport.com, or call toll-free at 1-877-322-8228. You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available at https://www.consumer.ftc.gov/articles/0155-free-credit-reports) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281.
Security Freeze: You also have the right to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans, and services from being approved in your name without your consent. To place a security freeze on your credit report, you need to make a request to each consumer reporting agency. You may make that request by certified mail, overnight mail, regular stamped mail, or by following the instructions found at the websites listed below.
The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse or a minor under the age of 16, this information must be provided for him/her as well):
full name, with middle initial and any suffixes;
Social Security number;
date of birth;
current address and any previous addresses for the past five years; and
any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles.
The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. As of September 21, 2018, it is free to place, lift, or remove a security freeze. You may also place a security freeze for children under the age of 16.
You may obtain a free security freeze by contacting any one or more of the following national consumer reporting agencies:
Equifax Security Freeze Experian Security Freeze
TransUnion Security Freeze
Experian
Fraud Alert: You can place fraud alerts with the three credit bureaus by phone and online with:
Equifax (https://assets.equifax.com/assets/personal/Fraud_Alert_Request_Form.pdf);
TransUnion (https://www.transunion.com/fraud-alerts); or
Experian (https://www.experian.com/fraud/center.html).
A fraud alert tells creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit. As of September 21, 2018, initial fraud alerts last for one year. Victims of identity theft can also get an extended fraud alert for seven years. The phone numbers for all three credit bureaus are at the bottom of this page
Monitoring: You should always remain vigilant and monitor your accounts for suspicious or unusual activity.
File Police Report: You have the right to file or obtain a police report if you experience identity fraud. Please note that in order to file a crime report or incident report with law enforcement for identity theft, you will likely need to provide proof that you have been a victim. A police report is often required to dispute fraudulent items. You can generally report suspected incidents of identity theft to local law enforcement or to the Attorney General.
FTC and Attorney General: You can further educate yourself regarding identity theft, fraud alerts, security freezes, and the steps you can take to protect yourself, by contacting the consumer reporting agencies, the Federal Trade Commission, or your state Attorney General.
The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580, www.identitytheft.gov, 1-877-ID-THEFT (1-877-438-4338), TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above.
For New York Residents: the Attorney General may be contacted at Office of the Attorney General, The Capitol, Albany, NY 12224- 0341, 1-800-771-7755, and https://ag.ny.gov.
Date: November 11, 2022
Incident
On September 8, 2022, NewYork-Presbyterian Hospital’s data security monitors received an alert of suspicious activity on one of its servers, including possible attempts to download information by an unauthorized user. These attempts were successfully blocked and NYP’s Information Security Department began reviewing the matter.
As a result of its review, NYP later learned that an unauthorized third-party had used a cloud-based, remote information technology customer support program to gain access to the laptops of several of its workforce members, copying and removing desktop files from some of the devices. The threat actor did not access NYP’s patient portal but one of the compromised laptops contained protected health information of certain patients of NewYork-Presbyterian/Queens and NewYork-Presbyterian/ Hudson Valley.
Approximately twelve thousand (12,000) patients were affected. Information pertaining to those patients include first and last names, addresses, insurance authorizations, medical records numbers and exam results.
NYP’s Response
NYP is committed to protecting the privacy and security of its patients’ health information and has taken steps to prevent a similar incident from happening in the future. Accounts used for the technical assistance program were immediately suspended and the service was terminated without further incident. NYP confirmed there was no unauthorized access to NYP’s electronic medical records patient portal and none of its other data has been compromised.
As required by law, NYP is reporting this incident to the Department of Health and Human Services, Office for Civil Rights and to the Office of the Attorney General in New York State.
NYP is further offering credit monitoring and identity theft protection services through ID Experts for all impacted patients. ID Experts’ services include twelve (12) months of credit monitoring and fully managed identity theft recovery services. With this protection, ID Experts will notify and assist in resolving issues for those whose identity has been compromised as a result of this incident.
What You Can Do:
All potentially affected individuals can do the following:
Credit Report: Obtain a copy of your credit report, free of charge, whether or not you suspect any unauthorized activity on your account.
Security Freezes: You have the right to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans, and services from being approved in your name without your consent.
Fraud Alerts: Fraud alerts instruct creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts.
Monitoring: Remain vigilant and monitor your accounts for suspicious or unusual activity.
Contact Us
NYP has also established a call center with personnel available answer questions of those concerned that they may have been impacted. You can reach the center toll free Monday through Friday, from 8:00AM to 8:00PM eastern standard time, at 1-888-308-4435.
Additional Information
Credit Reports: You may obtain a copy of your credit report, free of charge, whether or not you suspect any unauthorized activity on your account. You may obtain a free copy of your credit report from each of the three nationwide credit reporting agencies. To order your free credit report, please visit www.annualcreditreport.com, or call toll-free at 1-877-322-8228. You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available at https://www.consumer.ftc.gov/articles/0155-free-credit-reports) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281.
Security Freeze: You also have the right to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans, and services from being approved in your name without your consent. To place a security freeze on your credit report, you need to make a request to each consumer reporting agency. You may make that request by certified mail, overnight mail, regular stamped mail, or by following the instructions found at the websites listed below.
The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse or a minor under the age of 16, this information must be provided for him/her as well):
full name, with middle initial and any suffixes;
Social Security number;
date of birth;
current address and any previous addresses for the past five years; and
any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles.
The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. As of September 21, 2018, it is free to place, lift, or remove a security freeze. You may also place a security freeze for children under the age of 16.
You may obtain a free security freeze by contacting any one or more of the following national consumer reporting agencies:
Equifax Security Freeze Experian Security Freeze
TransUnion Security Freeze
Experian
Fraud Alert: You can place fraud alerts with the three credit bureaus by phone and online with:
Equifax (https://assets.equifax.com/assets/personal/Fraud_Alert_Request_Form.pdf);
TransUnion (https://www.transunion.com/fraud-alerts); or
Experian (https://www.experian.com/fraud/center.html).
A fraud alert tells creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit. As of September 21, 2018, initial fraud alerts last for one year. Victims of identity theft can also get an extended fraud alert for seven years. The phone numbers for all three credit bureaus are at the bottom of this page
Monitoring: You should always remain vigilant and monitor your accounts for suspicious or unusual activity.
File Police Report: You have the right to file or obtain a police report if you experience identity fraud. Please note that in order to file a crime report or incident report with law enforcement for identity theft, you will likely need to provide proof that you have been a victim. A police report is often required to dispute fraudulent items. You can generally report suspected incidents of identity theft to local law enforcement or to the Attorney General.
FTC and Attorney General: You can further educate yourself regarding identity theft, fraud alerts, security freezes, and the steps you can take to protect yourself, by contacting the consumer reporting agencies, the Federal Trade Commission, or your state Attorney General.
The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580, www.identitytheft.gov, 1-877-ID-THEFT (1-877-438-4338), TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above.
For New York Residents: the Attorney General may be contacted at Office of the Attorney General, The Capitol, Albany, NY 12224- 0341, 1-800-771-7755, and https://ag.ny.gov.
