Data breach connected to Capital Region’s Community Care Physicians reported

PHOTOGRAPHER: Erica Miller

Community Care Physicians' Clifton Park facility is shown in September 2019.

COLONIE — A data breach at an accounting firm has potentially exposed the personal data of patients at the largest independent medical practice in the Capital Region.

Some of the 370,000 patients of Community Care Physicians got letters Tuesday from BST & Co. CPAs about the matter. Community Care followed up Wednesday with notices to patients about the situation and how best to respond.

Neither BST or Community Care would say how many people are potentially affected. Community Care said it was not all 370,000 patients, but was more than the 500-person threshold for mandated reporting under federal healthcare privacy rules. BST also would not say if any of its other clients were affected, but it noted that data for some of the other clients was stored on the computer network that was breached.

The situation stems from a December ransomware attack on BST. Community Care patient data was exposed but there is no evidence it was accessed or misused, BST said. Also, it said, the data involved was not the most sensitive type, such as bank account numbers, social security numbers or medical records — it was patient names, birthdates, record numbers and billing codes. Nonetheless, BST is outlining steps patients can take to protect themselves financially, and is offering free identity monitoring for a year.

Community Care is based on Route 7 in Latham and is a significant part of the Capital Region medical community. It has 400-plus practitioners in 30 specialties plus 1,600 other employees spread across 80 locations in eight counties.

BST is a large accounting and financial management firm based off Wolf Road in Colonie.

In a prepared statement Wednesday, Community Care Corporate Compliance Officer Mackensie Greene said there have been no known adverse effects on patients in the 10 weeks since the breach.

“We have a longstanding relationship with BST and we have been working very closely with them to monitor this unfortunate and isolated event. We feel very confident that our patients’ data is secure with either company. This incident was quickly identified and addressed and we know that BST is doing everything in their power to assist our patients who were affected.”

In a prepared statement of its own, BST said it is taking steps to notify and protect people “out of an abundance of caution.”

“Unfortunately, data security incidents have become increasingly common and are impacting organizations both large and small, public and private,” BST said. “We are committed to ensuring the security of all data under our care, and encourage all to remain vigilant about the growing occurrence of cyber threats.”

In separate notifications, BST and Community Care outlined the incident as follows:

— BST determined on Dec. 7 that hackers outside the company had infected part of its network containing client accounting and tax data with a ransomware virus three days earlier.

— BST was able to restore files using backup.

— A subsequent forensic examination confirmed on Feb. 5 that some patients’ personal information had been exposed.

— Using addresses on file for those patients, BST mailed out notifications to them Feb. 14. There was no mail delivery on Monday, a federal holiday, so the letters began to arrive at patients’ homes Tuesday.

— BST has created an assistance line at 866-977-0784; patients can call for additional help from 9 a.m. to 9 p.m. weekdays.

— Any Community Care patients who did not receive a letter but want to verify their data was not breached can call the hotline as well.

BST offered advice:

— Anyone noticing unusual account or credit report activity should contact a local law enforcement agency.

— Check credit reports regularly. Under federal law, adults are entitled to one free credit report per year from each of the three major credit bureaus — Equifax, Experian and TransUnion — and can contact them directly or visit www.annualcreditreport.com.

— Individuals can activate a free fraud alert with the credit bureaus, which better protects the individual from fraud but will also slow down their legitimate efforts to obtain credit.

— Individuals can also place a security freeze on their credit reports; while this offers even more protection, it is tedious to activate and remove, and can greatly slow or even block legitimate credit checks for everything from apartment leases to job applications to car loans.

— Further information on protecting against identity theft and fraud is available from the Federal Trade Commission at www.ftc.gov/idtheft/ and from the New York state Attorney General’s Office at https://ag.ny.gov/consumer-frauds-bureau/identity-theft.