On April 12, 2020, Advanced Monitoring Services became aware that a vendor it uses for billing services, Apex IONM Solutions ("Apex") https://www.apexionmsolutions.com/, had experienced a spear phishing attack that resulted in a breach of certain personally identifiable information. A bad actor posed as the CEO and convinced an Apex employee to send the bad actor a report that contained certain personal information, including patient name, patient address, patient telephone number, patient date of birth, patient insurance policy/group numbers, referring physician name, claim ID number, submitted charges, collections and case balance, insurance company check number, deposit amount and deposit date. No sensitive health or financial information, like diagnosis, Social Security number, or drivers' license, was included. Only a small percentage of Advanced Monitoring Services’ patients were impacted by this breach. Patients who were affected will receive a letter postmarked June 11, 2020.
The Apex security team was notified within one minute that this large report had left the Apex system and immediately took steps to mitigate this incident. Apex attempted to recover the file, but the recovery attempt was unsuccessful. The Apex IT security team followed its system breach investigation and remediation protocols by disabling the employee's email account and access to the system. The Apex team then conducted a security assessment to determine the extent of the spear phishing access to Apex systems. This assessment confirmed that no other access to the Apex system nor access to any additional information held by Apex occurred, and that no malware or ransomware had been planted on the system. Apex promptly notified law enforcement of this incident. Apex also took appropriate disciplinary action against the employee who responded to this phishing email and has retrained all staff on cybersecurity. As a result of this incident, Apex realizes even best in class security protocols that were in place fell short and continues to research additional steps that it can take to reduce the likelihood that a similar incident could occur again.
While there is no indication that patient information has been or will be used inappropriately, Advanced Monitoring Services is notifying all impacted individuals who can be identified and located and is advising them of precautionary steps they can take to protect themselves, including offering complimentary credit monitoring services for two years.
Advanced Monitoring Services and Apex sincerely regret that this incident occurred. However, both continue to be committed to providing quality care and safeguarding personal information. Apex has established a call center to answer any questions that patients may have about this incident. Individuals may contact the call center at (800) 939-4170.