Philadelphia FIGHT Community Health Centers (“FIGHT”), a community health provider to low-income individuals in the greater Philadelphia area serving our community since 1990, announced today that it was the victim of a criminal cyberattack that may impact the privacy of patient information. FIGHT cannot confirm that any specific patient information was accessed or acquired and is unaware of any fraudulent misuse of information related to this event. We are providing this notice out of an abundance of caution, along with steps that community members can take to better protect against the possibility of identity theft and fraud.
What Happened?
On November 30, 2021, FIGHT discovered suspicious activity in its computer network, indicating that it was the victim of a criminal cyberattack. Upon discovery, FIGHT disconnected its network from the Internet, stopping the cyberattack, launched an investigation into the nature and scope of the event with the assistance of third-party computer forensic specialists, and reported the crime to law enforcement. FIGHT promptly confirmed that this event did not impact its electronic medical record (EMR), or other clinical systems, based on available evidence. On January 13, 2022, it was determined that a criminal actor potentially accessed certain non-clinical systems within the network, and later that those systems contained legally protected patient information.
FIGHT cannot confirm that any patient information was accessed or acquired and is informing the public of the event because legally protected information was located on impacted non-clinical systems. FIGHT is currently reviewing the impacted systems, and will be sending notification letters to any individuals whose information may have been impacted.
What Information Was Involved?
FIGHT cannot confirm whether any sensitive information was accessed or acquired by the criminal attackers and is providing notice of the event because patient information was located on the impacted non-clinical systems, including names, dates of birth, social security numbers, medical treatment, diagnosis information, and health insurance information. FIGHT is unaware of any publication or fraudulent misuse of information related to this event.
What Philadelphia FIGHT is Doing
In responding to this event, FIGHT promptly investigated and took steps to secure its network environment and is continuing its investigation to identify and to provide written notification to any individuals whose sensitive information may have been impacted. FIGHT has also notified law enforcement, and is working to develop and implement additional security measures, policies and procedures to reduce the likelihood of a similar future event.
What Individuals Can Do
FIGHT is not aware of any fraudulent misuse of any information from this event and cannot confirm whether any patient information was accessed or acquired by the cyber attackers based on available evidence. Nonetheless, FIGHT encourages all community members to remain vigilant against incidents of identity theft by reviewing account statements, monitoring free credit reports for suspicious activity, and reviewing the following “Steps You Can Take to Protect Information” for further information.
FIGHT understands that individuals may have questions about this event. As a result, we have established a toll-free call center to answer your questions: 855-604-1814 between 9:00 AM – 9:00 PM Eastern Time, Monday through Friday.
STEPS YOU CAN TAKE TO PROTECT INFORMATION
Monitor Your Accounts
Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order your free credit report, visit annualcreditreport.com or call toll-free, 1-877-322-8228. You may also directly contact the three major credit reporting bureaus listed below to request a free copy of your credit report.
Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the three major credit reporting bureaus listed below.
As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a credit freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report. To request a security freeze, you will need to provide the following information:
- Full name (including middle initial as well as Jr., Sr., II, III, etc.);
- Social Security number;
- Date of birth;
- Addresses for the prior two to five years;
- Proof of current address, such as a current utility bill or telephone bill;
- A legible photocopy of a government-issued identification card (state driver’s license or ID card, etc.); and
- A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if you are a victim of identity theft.
