Healthcare Fiscal Management, Inc. Notification of Data Security Incident

Wilmington, North Carolina – June 26, 2020 -- Healthcare Fiscal Management Inc. (“HFMI”), a firm specializing in providing self-pay conversion and insurance eligibility services for hospital systems, clinics and physician groups, other healthcare providers and their communities, announced today that it has taken action after learning of a data security incident which may have compromised the personal information and/or protected health information of patients who received care from St. Mary’s Health Care System from in or about November 2019 through April 2020. HFMI began providing notice to all potentially impacted individuals on June 26, 2020.

What Happened? On April 13, 2020, HFMI became aware of a data security incident, including ransomware, that impacted portions of its server and data infrastructure. HFMI immediately took its systems offline and undertook efforts to restore its servers to a new hosting provider with additional high-level security mechanisms and monitoring. HFMI thereafter retained a professional forensic investigation firm to determine the nature of the security compromise and identify any individuals whose personal information and/or protected health information may have been compromised.

What Information Was Involved? The forensic investigation determined that first access to HFMI’s systems occurred on approximately April 12, 2020, with the ransomware launched on April 13, 2020. The data security incident may have resulted in unauthorized access to or acquisition of personal information, including names, date of birth, and Social Security numbers, as well as protected health information, including medical record numbers, account numbers and dates of service that were provided to HFMI in connection with the provision of insurance eligibility services for its clients between November 2019 through April 2020. No direct medical diagnoses or clinical information were part of this breach.

What is HFMI Doing? As stated above, following the data security incident, HFMI immediately undertook efforts to restore the impacted servers to a new hosting provider. Backups and other information maintained by HFMI were used to enable near seamless restoration of security and services on the same day. HFMI has retained a forensic investigation firm to thoroughly investigate the incident and has confirmed that the information is no longer in possession of third party(ies) or accessible via the Internet. HFMI has also offered the impacted individuals access to complimentary credit monitoring and identity theft protection services as an added precaution and to mitigate risk. Please be advised that HFMI is continuing to work closely with leading security experts to identify and implement measures to further strengthen the security of their systems to help prevent this from happening in the future.

What Can Patients Do? We are aware of how important personal information and protected health information is to patients and their loved ones. HFMI began mailing notification letters on June 26, 2020, to the patients of St. Mary’s Health Care System for whom St. Mary’s Health Care System had valid mailing addresses and whose protected information was contained within the files that may have been accessed or acquired by an unauthorized actor. We anticipate that it will take five days for individuals to receive this letter. If an individual does not receive a letter but would like to know if he or she was potentially affected by this incident, or if an individual has any questions or would like additional information, they may call HFMI’s dedicated assistance line at (855) 917-3550 between the hours of 9:00am to 9:00pm EST, Monday through Friday.