Silver Cross Hospital

The way you should be treated.™

What happened?

Silver Cross recently discovered that certain information entered onto web forms by patients and others on the hospital’s website was potentially made available on the internet. This incident appears to have occurred because the off-site vendor that manages the data from completed web forms performed a software upgrade that removed security measures that had previously been in place. The incident was limited to the web form data hosted by the vendor, and Silver Cross’s own network and patient records systems were not affected.

When did this happen? 

Silver Cross discovered the issue on June 14, 2017. The earliest evidence of potential exposure of any web forms was late November, 2016.

Who was the vendor? 

The vendor that experienced the incident works with Silver Cross to manage and control the hosting of the data from completed web forms on the Silver Cross website. Since discovering this incident, Silver Cross began conducting a thorough review of the vendor’s security measures. In the meantime, Silver Cross remediated the issue that led to this incident and removed certain fields from the web forms so that particularly sensitive data is no longer collected.

What information affected?

This information varies depending on the type of form that was used, but may include individuals’ names, street addresses, telephone numbers, email addresses, dates of birth, IP address, race, marital status, provider name, and, in some cases, Social Security numbers, health insurance group and policy numbers, and information pertaining to mental or health condition, diagnosis or treatment details, if voluntarily provided in the web form. 

Information submitted via web forms to the Silver Cross website between January 2013 and June 14, 2017 could have been affected.

Was I affected by the security incident? 

If you submitted information through the Silver Cross website using a web form between January 2013 and June 14, 2017, your information could potentially have been affected. All persons potentially affected by this incident for whom we were previously provided contact information have been sent a personal notice via first class mail or email. If you believe you may have been affected, please call 866-236-8208 for further instructions.

Was my credit/debit card impacted? I paid for medical services.

We use a different system for processing payment cards and payment cards were not affected.

Do you suspect that my information has been used fraudulently? Has anyone been adversely affected as a result of this incident? 

At this time we are not aware of any fraudulent use of personal information, and Silver Cross has discovered no evidence to date that an unauthorized person actually navigated to one of the impacted web forms and accessed sensitive information. However, you should remain vigilant to guard against the possible misuse of your information. We have provided information on our website that details various steps you can take to protect yourself, including reviewing credit reports, account statements, and explanation of benefit documents. You can also enroll in any free identity protection services. For resources from the federal government, visit www.ftc.gov/idtheft or https://oig.hhs.gov/fraud/medical-id-theft.

I have never seen a Silver Cross doctor or received treatment from Silver Cross Hospital – why did I receive a letter? 

In an abundance of caution, we have provided notice to persons who provided information to Silver Cross, even if they did not ultimately become a patient. Further, it is possible that your information was provided by a patient of Silver Cross because you are the patients’ guarantor or the named policyholder for their health insurance.

I have never submitted information on the Silver Cross website. Why did I receive a letter? 

In some cases, some individuals’ information was submitted to the Silver Cross website by another person on their behalf, such as a spouse or relative. For example, you may have been identified as a guarantor or insurance policy holder by a patient who filled out a “Request an Appointment” form, or a family member may have provided feedback or impressions regarding your treatment at Silver Cross in a “Share my Story” or “Contact Us” form.

Why did I receive two letters? 

Sometimes, individuals may have used nicknames or different contact details to submit information to the Silver Cross website. Out of an abundance of caution, Silver Cross may have sent two letters to the same individual who provided different names on the web forms to ensure that they received written notice.

My name is misspelled on my letter. Why? Will that affect my credit monitoring? 

We apologize if your name is/was inadvertently misspelled – there may have been a typo in your name when you entered it into the affected web form. This will not affect your eligibility for credit monitoring, and your enrollment code will still work when you sign up with your correct name.

I did not receive a letter, but I believe I was impacted / I would like to enroll for credit monitoring.  

If you believe you may have been affected, please call 866-236-8208 for further instructions.

I received the notification on behalf of a deceased relative, what should I do? 

Upon the death of a consumer, the three major credit bureaus – Equifax, Experian and Trans Union – will flag the deceased’s credit file. This will prevent the credit file information from being used to open credit in the event that someone tries to steal the deceased’s identity. If you have not done so already, you may call all three major credit bureaus to request a death notice on the credit file.

We are also providing a complimentary identity monitoring product that you can use to monitor your deceased’s information.

What did Silver Cross do to prevent this from happening again?

Silver Cross took steps to address this incident promptly after it was discovered, including by immediately contacting the vendor to disable potential unauthorized access to completed forms and hiring a computer forensics firm to launch a comprehensive review into the circumstances surrounding the incident. Silver Cross is also working with the vendor to implement security reconfigurations and has retained experts to conduct a detailed and comprehensive review of security practices. Finally, the hospital is reviewing polices and performing additional training in the wake of this incident to prevent against future recurrences.

Is it safe to use your online web forms to submit my information?

We have contained the issue that led to this incident. However, if you are more comfortable making an inquiry by phone rather than on our website, please call Central Scheduling at 815-300-7076 to schedule an appointment or reserve a maternity visit, or call our main line at (815) 300-1100 for general inquiries.

What should I do to protect my information?

You can regularly review the explanation of benefits statements that you receive from your insurer or that you receive or review for persons whose medical bills you assist with or pay. If you identify services listed on the explanation of benefits forms that were not received, please immediately contact the insurer. For more information visit oig.hhs.gov/fraud/medical-id-theft.

You can also carefully check credit reports for accounts or inquiries you do not recognize. If you see anything you do not understand, call the credit agency immediately. If you find any suspicious activity on the credit reports, call your local police or sheriff's office, file a police report for identity theft, and get a copy of it. You may need to give copies of the police report to creditors to clear up credit records. For more information, visit www.ftc.gov/idtheft.

Finally, you can enroll for the free identity protection services we are providing to affected individuals. These services helps detect possible misuse of your personal information and may alert you if someone attempts to misuse your information.

For a detailed listing of information, please see our “Information about Identity Theft Protection” guide, available here.

When is the enrollment/sign-up deadline for the credit monitoring?

The deadline to enroll is November 11, 2017.

Located at 1900 Silver Cross Blvd., New Lenox, IL 60451   Main Phone (815) 300-1100

© Copyright 2017  Silver Cross Hospital. All Rights Reserved.

 

  

Physicians on Silver Cross Hospital’s Medical Staff have expertise in their areas of practice to meet the needs of patients seeking their care.  These physicians are independent practitioners on the Medical Staff and are not the agents or employees of Silver Cross Hospital. They treat patients based upon their independent medical judgment and they bill patients separately for their services.