The Chattanooga Heart Institute Notice of Data Security Incident

The Chattanooga Heart Institute Notice of Data Security Incident

The Chattanooga Heart Institute takes the protection and proper use of Protected Health
Information (“PHI”) very seriously. This notice explains a recent data security incident involving
some PHI, our response to the incident, and steps individuals can take to protect personal
information.

What happened?
On April 17, 2023, The Chattanooga Heart Institute identified indications of a cybersecurity
attack on its IT network. The Chattanooga Heart Institute immediately took steps to secure its
network and began an investigation with the assistance of an external forensics vendor. The
investigation determined that an unauthorized third party gained access to The Chattanooga
Heart Institute’s network between March 8, 2023, and March 16, 2023. On May 31, 2023, The
Chattanooga Heart Institute learned that the unauthorized third party obtained copies of some of
the data from its systems containing confidential patient information. It is important to note,
however, the unauthorized third party did not retrieve data directly from The Chattanooga Heart
Institute’s Electronic Medical Record (“EMR”).

What information was involved?
While The Chattanooga Heart Institute continues to complete an extensive review of the files
involved, the investigation found that the unauthorized third party may have accessed or
acquired some information related to The Chattanooga Heart Institute patients or their
guarantors. The information in the files may have included name, mailing address, email
address, phone number, date of birth, driver’s license number, Social Security number, account
information, health insurance information, diagnosis/condition information, lab results,
medications and other clinical, demographic or financial information.

What we are doing.
Upon discovering the unauthorized third party access, The Chattanooga Heart Institute took
quick action to protect its systems, contain the incident, begin an investigation, and maintain
continuity of care. In addition, The Chattanooga Heart Institute notified federal law enforcement.
Once secured, systems were returned to the network with additional security and monitoring
tools.

Notification letters to individuals whose data may be involved will begin to be sent out by US
mail over the coming weeks as the detailed review of each file is completed. To help relieve
concerns and restore confidence following this incident, The Chattanooga Heart Institute has
secured the services of Equifax to provide identity monitoring at no cost to individuals whose
data may be involved. These identity monitoring services, as described in more detail in the
individual notification letters being provided to affected individuals, include Credit Monitoring,
Fraud Consultation, and Identity Theft Restoration.

Actions you may wish to take.
It is always prudent for patients to review health care statements for accuracy and report to your
provider or insurance carrier any services or charges that were not incurred. Additionally, there
are further steps and protections that individuals can take, including those recommended by
the Federal Trade Commission (visit: www.ftc.gov) regarding identity theft protection and details
on how to place a fraud alert or a security freeze on your credit file.

For more information.
We have established a call center with a trusted third-party partner that can answer specific
questions about this IT security event. Please call toll-free 1-833-627-2719, Monday through
Friday from 9:00 a.m. to 9:00 p.m. ET, excluding U.S. holidays.
We apologize for any concern this may cause. Protecting information is important to us. We
trust that this notification and additional resource information demonstrates our continued
commitment to our patients and the community.

Frequently Asked Questions (FAQs)

Q: What happened?
A: On April 17, 2023, The Chattanooga Heart Institute identified indications of a cybersecurity
attack on its IT network. The Chattanooga Heart Institute immediately took steps to secure its
network and began an investigation with the assistance of an external forensics vendor. The
investigation determined that an unauthorized third party gained access to The Chattanooga
Heart Institute’s network between March 8, 2023, and March 16, 2023. On May 31, 2023, The
Chattanooga Heart Institute learned that the unauthorized third party obtained copies of some
data from its systems containing confidential patient information.

Q: Am I impacted?
A: The investigation is ongoing, and The Chattanooga Heart Institute is in the process of
identifying which individuals’ information may have been involved. Notification letters to
individuals whose data may be involved will begin to be sent out by US mail over the coming
weeks as the detailed review of each file is completed. However, based on the investigation to
date, it is believed some information is related to The Chattanooga Heart Institute patients or
their guarantors.

Q: What type of information may be involved in this event?
A: The investigation is ongoing, and to date, the information identified in the files may have
included patient or guarantor name, mailing address, email address, phone number, date of
birth, driver’s license number, Social Security number, account information, health insurance
information, diagnosis/condition information, lab results, medications and other clinical,
demographic or financial information.

Q. What is best practice for protecting against identity theft and fraud?
It is always prudent for patients to review health care statements for accuracy and report to your
provider or insurance carrier any services or charges that were not incurred. Additionally, there
are further steps and protections that individuals can take, including those recommended by the
Federal Trade Commission (visit: www.ftc.gov) regarding identity theft protection and details on
how to place a fraud alert or a security freeze on your credit file.
Under U.S. law, a consumer is entitled to one free credit report annually from each of the three
major credit reporting bureaus, Equifax, Experian, and TransUnion. To order your free credit
report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also directly
contact the three major credit reporting bureaus listed below to request a free copy of your
credit report.

Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost.
An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a
fraud alert display on a consumer’s credit file, a business is required to take steps to verify the
consumer’s identity before extending new credit. If you are a victim of identity theft, you are
entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to
place a fraud alert, please contact any one of the three major credit reporting bureaus listed
below.

As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit
report, which will prohibit a credit bureau from releasing information in the credit report without
the consumer’s express authorization. The credit freeze is designed to prevent credit, loans,
and services from being approved in your name without your consent. However, you should be
aware that using a credit freeze to take control over who gets access to the personal and
financial information in your credit report may delay, interfere with, or prohibit the timely approval
of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be
charged to place or lift a credit freeze on your credit report.

To request a security freeze, you will need to provide the following information:
1. Full name (including middle initial as well as Jr., Sr., II, III, etc.);
2. Social Security number;
3. Date of birth;
4. Addresses for the prior two to five years;
5. Proof of current address, such as a current utility bill or telephone bill;
6. A legible photocopy of a government-issued identification card (state driver’s license or
ID card, etc.); and
7. A copy of either the police report, investigative report, or complaint to a law
enforcement agency concerning identity theft if you are a victim of identity theft.

Should you wish to place a credit freeze, please contact the three major credit reporting bureaus
listed below:

Additional Information
You may further educate yourself regarding identity theft, fraud alerts, credit freezes, and the
steps you can take to protect your personal information by contacting the consumer reporting
bureaus, the Federal Trade Commission, or your state Attorney General. The Federal Trade
Commission may be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580;
www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above. You have the right to file a police
report if you ever experience identity theft or fraud. Please note that in order to file a report with  law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and your state Attorney General. This notice has not been delayed by law enforcement.

For Maryland residents, the Maryland Attorney General may be contacted at: 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; 1- 410-576-6300 or 1-888-743-0023; and www.marylandattorneygeneral.gov/. Imagine360 is located at 1550 Liberty Ridge Dr. Suite 330 Wayne, PA 19087.

For New Mexico residents, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting bureaus must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to be provided to employers; you may limit “prescreened” offers of credit and insurance you get based on information in your credit report; and you may seek damages from violator. You may have additional rights under
the Fair Credit Reporting Act not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. Weencourage you to review your rights pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov!f!201504_cfpb_summary_your-rights-under-fcra.pdf, or by writingConsumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave.
N.W., Washington, D.C. 20580.

For New York residents, the New York Attorney General may be contacted at: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; 1-800-771-7755; or https://ag.ny.gov/.

For North Carolina residents, the North Carolina Attorney General may be contacted at: 9001
Mail Service Center, Raleigh, NC 27699-9001; 1-877-566-7226 or 1-919-716-6000; and
www.ncdoj.gov.

Q: What is The Chattanooga Heart Institute doing to prevent similar events from
happening in the future?
A: The Chattanooga Heart Institute is in the process of completing a thorough forensic
investigation of the incident and also notified federal law enforcement. Upon discovery, they
isolated impacted systems for investigation. Once secured, systems were returned to the
network with additional security and monitoring tools.