The Cooper Health System (“Cooper”) takes the privacy and security of patient information very seriously. Therefore, we are providing notice of an incident that may impact personal or protected health information and steps individuals can take to help protect personal information.
What Happened? On July 18, 2022, Cooper learned of unusual activity involving an employee’s email account. Upon discovering this activity, Cooper immediately secured the email account, confirmed the security of its computer network and systems, and launched an investigation with the assistance of independent cybersecurity specialists to determine what happened and whether personal or protected health information had been accessed or acquired without authorization.
The forensic investigation revealed certain employee email accounts had been accessed without authorization beginning on or around July 15, 2022 and that mailbox contents may have been viewed or acquired by an unauthorized individual. Cooper then launched a comprehensive review of the affected mailbox contents to identify and notify individuals whose information was potentially impacted.
Cooper’s investigation also confirmed there was no access to Cooper’s electronic health records system, which stores patient medical records on an off-site platform, or Cooper’s broader computer network. Nevertheless, in order to comply with reporting requirements, we are providing notice of the incident impacting the email accounts. We are also providing steps you can take to help protect your information, should you wish to do so.
What Information Was Involved? Based on our investigation, the following information may have been accessed regarding patients: patient name, date of birth, medical record number, medical treatment information, and health insurance information.
What Are We Doing? As soon as we discovered this incident, we took steps to secure the impacted accounts and conduct a diligent investigation as described above. We have also implemented additional safeguards to help ensure the security of our email environment and to reduce the risk of a similar incident occurring in the future. In addition, we reported the incident to the Federal Bureau of Investigation and will provide whatever cooperation is necessary to help identify and prosecute the perpetrators.
Along with the above measures, Cooper is providing information about steps you can take to help protect your personal information. Cooper will also be notifying potentially impacted individuals.
What You Can Do: Please review the below “Steps You Can Take to Further Protect Your Information” for additional ways you can help safeguard your information.
For More Information: If you have questions or need assistance, please call (877) 274-2764 from 9:00 AM to 11:00 PM Eastern Time Monday through Friday or from 11:00 AM to 8:00 PM Eastern Time Saturday and Sunday. Please be prepared to provide your engagement number: B061622.
Protecting patient information is important to us. Please know that we take this incident very seriously and deeply regret any worry or inconvenience that this may cause.
Additional Steps You Can Take to Further Protect Your Information
Review Your Account Statements and Notify Law Enforcement of Suspicious Activity: As a precautionary measure, we recommend that you remain vigilant by reviewing your account statements and monitoring free credit reports closely for errors and by taking other steps appropriate to protect accounts, including promptly changing passwords. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained for remediation assistance or contact a remediation service provider. You also should promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, your state attorney general, and/or the Federal Trade Commission (FTC). You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows:
- Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Ave, NW, Washington, DC 20580, 1-877-IDTHEFT (438-4338), www.consumer.ftc.gov, www.ftc.gov/idtheft.
Copy of Credit Report: You may obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting http://www.annualcreditreport.com/, calling toll-free 877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You can print this form at https://www.annualcreditreport.com/cra/requestformfinal.pdf. You also can contact one of the following three national credit reporting agencies:
- Equifax, P.O. Box 740241, Atlanta, GA 30374, 1-800-525-6285, www.equifax.com.
- Experian, P.O. Box 9532, Allen, TX 75013, 1-888-397-3742, www.experian.com.
- TransUnion, P.O. Box 1000, Chester, PA 19016, 1-800-916-8800, www.transunion.com.
Fraud Alerts: There are two kinds of general fraud alerts you can place on your credit report—an initial alert and an extended alert. You may want to consider placing either or both fraud alerts on your credit report. An initial fraud alert is free and will stay on your credit file for at least 90 days. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name. You may have an extended alert placed on your credit report if you have already been a victim of identity theft and provide the appropriate documentary poof. An extended fraud alert is also free and will stay on your credit report for seven years. To place a fraud alert on your credit report, contact any of the three credit reporting agencies identified above. Additional information is available at http://www.annualcreditreport.com. Military members may also place an Active Duty Military Fraud Alert on their credit reports while deployed. An Active Duty Military Fraud Alert lasts for one year and can be renewed for the length of your deployment
Credit or Security Freezes: Under U.S. law, you have the right to put a credit freeze, also known as a security freeze, on your credit file, for up to one year at no cost. The freeze will prevent new credit from being opened in your name without the use of a PIN number that is issued to you when you initiate the freeze. A security freeze is designed to prevent potential creditors from accessing your credit report without your consent. As a result, using a security freeze may interfere with or delay your ability to obtain credit.
You must separately place a security freeze on your credit file with each credit reporting agency. There is no fee to place or lift a security freeze. For information and instructions on how to place a security freeze, contact any of the credit reporting agencies or the Federal Trade Commission identified above. In order to place a security freeze, you may be required to provide the consumer reporting agency with information that identifies you including your full name, Social Security number, date of birth, current and previous addresses, a copy of your state-issued identification card, and a recent utility bill, bank statement or insurance statement. After receiving your freeze request, each credit bureau will provide you with a unique PIN or password. Keep the PIN or password in a safe place as you will need it if you choose to lift the freeze.
A freeze remains in place until you ask the credit bureau to temporarily lift it or remove it altogether. If the request is made online or via phone, a credit bureau must lift the credit freeze within an hour. If the request is made by mail, then the bureau must lift the freeze no later than three business days after receiving your request.
IRS Identity Protection PIN: You can obtain an identity protection PIN (IP PIN) from the IRS that prevents someone else from filing a tax return using your Social Security number. The IP PIN is known only to you and the IRS and helps the IRS verify your identity when you file your electronic or paper tax return. You can learn more and obtain your IP PIN here: https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin.
You also have certain rights under the Fair Credit Reporting Act (FCRA): These rights include the right to know what is in your file; to dispute incomplete or inaccurate information; to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, and your rights pursuant to the FCRA, please visit http://files.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf.
Additional Free Resources: You can obtain information from the consumer reporting agencies, the FTC, or from your respective state attorney general about fraud alerts, security freezes, and steps you can take toward preventing identity theft. You may report suspected identity theft to local law enforcement, including to the FTC or to the attorney general in your state.