Important Message for our Patients
As a small, family-owned ophthalmology practice, we know many of you have relied on us for over 30 years, and we have always prioritized providing our patients with the best care possible, as well as the safety and security of their medical and personal records entrusted to us.
You or one of your family members or loved ones may have received a recent letter from QRS, Inc., informing you that your personal records stored on their server may have been compromised.
QRS has been our patient portal company for more than nine years. Despite QRS’ safeguards, an unknown, unauthorized third party accessed the patient portal server that QRS hosts, manages, and maintains for us and other medical providers. Upon learning of the incident, QRS immediately took the server offline and began an investigation. They engaged a forensic security firm to confirm the security of QRS’ network, analyze the incident, and determine the extent of the Personal Health Information (PHI) that may have been accessed or acquired by the third party. The unauthorized access to QRS’ server occurred in late August. The PHI accessed for each person varies and may include one or more items including their name, Social Security number, date of birth, address, and limited medical treatment or diagnosis information if it was uploaded to the QRS portal.
QRS informed our practice of this incident on September 7, 2021, during the early stages of its investigation, and also chose to keep the affected patient portal offline permanently. Records remain available and we can continue to provide our patients with the high-level care they are accustomed to receiving. QRS has made subsequent updates using additional information acquired through its investigation. Once QRS had enough information, they worked with our practice to provide our patients with notice of the event. QRS’ forensic investigation, through its examination of only QRS systems, did not uncover evidence that the incident involved access to QRS clients’ systems.
Like our practice, QRS regrets the situation and its impact on our patients and practice. To safeguard our patient information, we will continue to closely monitor QRS’ remedial actions, which include implementing multi-factor identification on core QRS systems for key administrators and implementing a Security Information and Event Management system (SIEM). They also continue to review and update their information security policies for the patient records they hold for our practice.
Our office continues to evaluate our practice’s local system and we obtained an independent evaluation, which found no evidence of a data breach on our local system. The system has several protections in place, and our computers are updated and actively monitored. Again, we regret the unfortunate situation occurring with QRS’ systems.
To get further information, you may call QRS’ toll-free number 855-675-3080 from 9 a.m. – 9 p.m. EST, Monday through Friday. If you are one of our patients, you also have the choice to call and speak to our dedicated incident representative at 229-352-6700.
Please allow me and my staff to prioritize patient care, appointment setting and follow-ups while QRS or our breach representative help you with any concerns you have about this breach and your records. We are truly sorry for any inconvenience or concern this incident may cause you and believe that all the right steps are being taken.
Additional Important Information
As a precautionary measure, we recommend that you remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing your account statements and monitoring credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities, including the police and your state’s attorney general, as well as the Federal Trade Commission (“FTC”).
You may wish to review the tips provided by the FTC on fraud alerts, security/credit freezes and steps you can take to avoid identity theft. For more information and to contact the FTC, please visit www.ftc.gov/idtheft or call 1-877-ID-THEFT (1-877-438-4338). You may also contact the FTC at Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
Credit Reports: You may obtain a free copy of your credit report once every 12 months from each of the three national credit reporting agencies by visiting www.annualcreditreport.com, by calling toll-free 1-877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You can print a copy of the request form at https://www.annualcreditreport.com/manualRequestForm.action.
Alternatively, you may elect to purchase a copy of your credit report by contacting one of the three national credit reporting agencies. Contact information for the three national credit reporting agencies for the purpose of requesting a copy of your credit report or for general inquiries is as follows:
* Offline members will be eligible to call for additional reports quarterly after enrolling.
** The Identity Theft Insurance is underwritten and administered by American Bankers Insurance Company of Florida, an Assurant company. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.
Fraud Alerts: You may want to consider placing a fraud alert on your credit report. A fraud alert is free and will stay on your credit report for one (1) year. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any new accounts in your name. To place a fraud alert on your credit report, contact any of the three national credit reporting agencies using the contact information listed above. Additional information is available at www.annualcreditreport.com.
Credit and Security Freezes: You may have the right to place a credit freeze, also known as a security freeze, on your credit file, so that no new credit can be opened in your name without the use of a PIN number that is issued to you when you initiate the freeze. A credit freeze can be placed without any charge and is designed to prevent potential credit grantors from accessing your credit report without your consent. If you place a credit freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze. Therefore, using a credit freeze may delay your ability to obtain credit. Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting company. Since the instructions for how to establish a credit freeze differ from state to state, please contact the three major credit reporting companies as specified below to find out more information:
This notification was not delayed by law enforcement. Individuals interacting with credit reporting agencies have rights under the Fair Credit Reporting Act.
We encourage you to review your rights under the Fair Credit Reporting Act by visiting https://files.consumerfinance.gov/f/documents/bcfp_consumer-rights-summary_2018-09.pdf, or by requesting information in writing from the Consumer Financial Protection Bureau, 1700 G Street N.W., Washington, DC 20552.
Iowa Residents: Iowa residents can contact the Office of the Attorney general to obtain information about steps to take to avoid identity theft from the Iowa Attorney General’s office at: Office of the Attorney General of Iowa, Hoover State Office Building, 1305 E. Walnut Street, Des Moines IA 50319, 515-281-5164.
Maryland Residents: Maryland residents can contact the Office of the Attorney General to obtain information about steps you can take to avoid identity theft from the Maryland Attorney General’s office at: Office of the Attorney General, 200 St. Paul Place, Baltimore, MD 21202, (888) 743-0023, http://www.marylandattorneygeneral.gov/.
New York State Residents: New York residents can obtain information about preventing identity theft from the New York Attorney General’s Office at: Office of the Attorney General for the State of New York, Bureau of Consumer Frauds & Protection, The Capitol, Albany, New York 12224-0341; https://ag.ny.gov/consumer-frauds/identity-theft; (800) 771-7755.
North Carolina Residents: North Carolina residents can obtain information about preventing identity theft from the North Carolina Attorney General’s Office at: North Carolina Attorney General’s Office, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001; 877-5-NO-SCAM (Toll-free within North Carolina); 919-716-6000; www.ncdoj.gov.
Rhode Island Residents: We believe that this incident affected 30 Rhode Island residents. Rhode Island residents can contact the Office of the Attorney general at: Rhode Island Office of the Attorney General, 150 South Main Street, Providence, RI 02903, (401) 274-4400, www.riag.ri.gov. You have the right to obtain any police report filed in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.
Vermont Residents: If you do not have internet access but would like to learn more about how to place a security freeze on your credit report, contact the Vermont Attorney General’s Office at 802-656-3183 (800-649-2424 toll-free in Vermont only).