Data Security Incident

NOTICE REGARDING ADIRONDACKS ACO DATA SECURITY INCIDENT
August 23, 2019

Adirondacks ACO, LLC (“Adirondacks ACO”) is notifying patients and members whose information may have been compromised when an email account was remotely accessed by an unauthorized user earlier this year.

Adirondacks ACO is an accountable care organization (“ACO”), whose members consist of various health care providers in upstate New York. These providers work with the ACO to improve the quality of care offered to their patients. To do so, the ACO receives and analyzes patient information about the care and service provided. 

Early next week, Adirondacks ACO will begin mailing letters to patients and members whose information was contained in the email account that was accessed. 

The incident, which occurred between March 2 and March 4, 2019, involved an email account assigned to an employee who worked for both Adirondacks ACO and CVPH. The incident was discovered by CVPH on March 4, and the hospital immediately took action to prevent any further access. With CVPH, Adirondacks ACO performed a review of the information contained in the email account and determined that some emails and/or attachments related to services provided by Adirondacks ACO to its member providers and carriers, and included some patient and member information. 

The subsequent investigation has taken a significant amount of time, due to the complexities of the data review process and the coordination required among Adirondacks ACO and its member providers and carriers. The investigation has determined that the type of information accessed varied for each individual affected, and may have included names, dates of birth, Medicare ID numbers or health insurance member numbers, and limited treatment and/or clinical information.

There is no evidence to date that any of the information contained in the email account has been misused. As a precaution, however, it is recommended that patients monitor their accounts and review any billing or explanation of benefits statements they receive from their health care insurers or health care providers. If they see services they did not receive, they should contact their insurer or provider immediately.

To help prevent something like this from happening in the future, Adirondacks ACO and CVPH continue to assess systems and implement safeguards to address risks. They are also reinforcing employee training on how to detect and avoid phishing emails.

Adirondacks ACO has established a dedicated toll-free number to answer any questions individuals may have about the incident. To contact the call center, please call 1-877-347-0178 from 9 a.m. to 9 p.m. Eastern Time, Monday – Friday. Additional information is also available on the Adirondacks ACO website at: www.adirondacksaco.com.