PEWAUKEE, Wis., May 3, 2019 /PRNewswire/ — OS, Inc. (“OS”), an organization which provides claims management services to certain healthcare providers, announced that a phishing email campaign may have resulted in unauthorized access to personal information contained within an OS employee’s email account.
On or about December 21, 2018, OS learned of suspicious activity occurring within an OS employee’s email account. OS immediately changed the user’s credentials and launched an investigation. OS also began working with forensic experts to determine the nature and scope of the suspicious activity. On February 20, 2019, the investigation confirmed that an unauthorized actor gained access to the employee’s email account from October 15, 2018 through December 21, 2018, utilizing account credentials harvested through a phishing email campaign. OS took additional steps to enhance the security of the impacted account. OS also immediately notified law enforcement of this event.
Although the forensic experts were unable to confirm the specific messages or attachments within the email account that may have been subject to unauthorized access or acquisition, out of an abundance of caution, OS began conducting a thorough and systematic review of the impacted email account, working to confirm the identities of the individuals whose information may have been accessible to the unauthorized actor. On March 8, 2019, OS began notifying certain healthcare providers that patient information may be impacted by this event. Beginning on April 1, 2019, OS confirmed the identities of certain individuals whose information may have been accessible within the email account and began working with affected healthcare providers to confirm the contact information for these individuals. On May 2, 2019, OS began mailing notice to impacted patients. OS is providing notice of this incident on behalf of the various impacted healthcare providers, among which is Sparta Community Hospital. OS is also notifying regulatory authorities, as required.
The types of information contained in the employee’s email account affected by this event may include: patient name, date of service, hospital encounter number, and account balance. For a small number of patients, the information also included an insurance identification number and/or clinical information. For a limited number of individuals, Social Security numbers, in the form of insurance identification numbers, may have been impacted. At this time, there is no evidence of any actual or attempted misuse of the information accessible within the email account. No financial account information was impacted as a result of this event.
OS takes this incident and the security of personal information seriously. Upon learning of the incident, OS immediately secured the impacted email account. OS also reviewed existing policies and procedures, implemented additional safeguards, and will continue working to further secure the information in its systems. While OS is unaware of any misuse of any personal information contained within the impacted email account, individuals are encouraged to remain vigilant against incidents of identity theft and fraud, to review account statements, and to monitor credit reports for suspicious activity. Although this matter did not impact any credit or debit card information, any fraudulent or suspicious charges on credit or debit cards should be immediately reported to the appropriate bank or financial institution. It is also a good practice to remain vigilant of unsolicited communications seeking credit card or other financial information. Incidents of identity theft should also be reported to local law enforcement. As an added precaution, OS is also offering complimentary access to 24 months of identity monitoring services through Kroll to those individuals who may have had their Social Security number impacted by this event. All impacted individuals are being offered 12 months of free access to Kroll’s fraud consultation and identity theft restoration services. The impacted individuals are encouraged to enroll in these free services. Additional information on this incident can also be found on OS’ website at www.os-healthcare.com.
Individuals seeking additional information regarding this incident can call the toll-free dedicated assistance line at 1-866-775-4209, Monday through Friday from 8:00 a.m. to 5:30 p.m. Central Time. In addition, affected individuals may also submit any questions about this incident by mail directed to OS: W237 N2920 Woodgate Road, Suite 100, Pewaukee, WI 53072.
SOURCE OS, Inc.