Notice Related to Data Breach

Substitute Notice of Data Breach

November 15th, 2023

To the Mt. Graham Community:

Please read this Notice in its entirety.

Mt. Graham Regional Medical Center is writing as part of our commitment to your privacy and care.

A Notice of Data Security Incident is being mailed to all impacted individuals with information on the data breach between November 15-26, 2023. This Substitute Notice contains information about services provided along with alternate methods of enrolling in credit services provided to the individuals who believe they may have been affected. 

What happened?

On September 27, 2023, Mt. Graham Regional Medical Center detected and stopped a sophisticated ransomware attack that occurred on September 13, 2023. Immediately upon discovering the attack, we engaged our 3rd party cyber security partner and incident response team to assist with securing the network environment, minimizing damages, counteracting the assault, restoring operations, and facilitating the solid recovery of its systems. Within four hours of discovering the attack, we successfully secured the network to prevent any further access from threat actors. 

What Information was Involved:

Despite these efforts, the cybercriminal was able to access or acquire a subset of data, which included some patients: 

    • Demographic information such as names, addresses, email addresses, phone/fax numbers, dates of birth, driver’s license numbers, passport numbers, gender, and SSNs, 
    • Treatment information such as medical record numbers and data, dates of service, and
    • Financial information such as billing account numbers, Medicare numbers, Medicaid numbers, insurance numbers, and credit card numbers. 

What are we doing?

As part of our efforts to prevent future incidents and minimize the harm to your personal information, we performed a forensics security investigation, we alerted government agencies, including the FBI, and we are working with experts in the field to enhance our cyber security systems.

In response to the incident, we are providing the following to impacted individuals:

Individuals over the age of 18:  Access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score Services at no charge. These services provide alerts for 12 months from the date of enrollment when changes occur to the impacted individual’s credit file. We are also providing proactive fraud assistance to help with any questions or in the event that the impacted individual becomes a victim of fraud.  These services will be provided by Cyberscout through Identity Force, a TransUnion company specializing in fraud assistance and remediation services.

Parents of impacted minor dependents: Access to Cyber Monitoring Services for the parent and minor child for 12 months at no charge. Cyber monitoring will look out for the parent and child’s personal data on the dark web and alert them if their personally identifiable information is found online. These services will be provided by Cyberscout through Identity Force, a TransUnion company specializing in fraud assistance and remediation services.

What can I do to address this situation?

If you believe you may have been one of the individuals with an unknown address and you want to learn more detail about your specifically impacted information or if you want to utilize these services, please contact Mt. Graham Regional Medical Center at 1-800-664-3509 during the hours of 9:00 a.m. to 5:00 p.m. MST., Monday-Friday.

You may also email privacyofficer@mtgraham.org  or send mail to Mt. Graham Regional Medical Center, Inc., Attn.: HIPAA Privacy Officer, 1600 S. 20th Avenue, Safford. AZ 85546

If you believe you have been impacted but you choose not to contact us or use the above services, we strongly urge you to do the following:

If you choose to place a free fraud alert on your own, you will need to contact one of the three major credit agencies directly at:

Experian                                      Equifax                                                                  TransUnion

1-888-397-3742                       1-800-685-1111                                                  1-800-909-8872

experian.com/help               equifax.com/personal/credit-report-services     transunion.com/credit-help

When one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. The initial fraud alert stays on your credit report for one year. You can renew it after one year. 

Also, should you wish to obtain a credit report and monitor it on your own:

  • IMMEDIATELY obtain free copies of your credit report and monitor them upon receipt for any suspicious activity.  You can obtain your free copies by going to the following website: www.annualcreditreport.com or by calling them toll-free at 1-877-322-8228.  (Hearing-impaired consumers can access their TDD service at 1-877-730-4204.
  • Upon receipt of your credit report, we recommend that you review it carefully for any suspicious activity.  Monitor your bank and credit card statements for accounts and inquiries you don’t recognize. These can be signs of identity theft.

You can also obtain more information, report theft, and get recovery steps from the Federal Trade Commission (FTC) about identity theft and ways to protect yourself.  The FTC has an identity theft hotline:  877-438-4338; TTY: 1-866-653-4261.  They also provide information online at www.ftc.gov/idtheft.

What if I want to speak with Mt. Graham Regional Medical Center, Inc. regarding this incident?

If you have any questions, please do not hesitate to contact Mt. Graham Regional Medical Center at 1-800-664-3509 during the hours of 9:00 a.m. to 5:00 p.m. MST, Monday-Friday.  You may also email privacyofficer@mtgraham.org  or send mail to Mt. Graham Regional Medical Center, Inc., Attn.: HIPAA Privacy Officer, 1600 S. 20th Avenue, Safford. AZ 85546. We take patient privacy very seriously and sincerely apologize for and regret any concern or inconvenience this matter has caused our patients and community.