Unauthorized Access to Internal Computer Network at Connexin Software, Inc.
Connexin Software, Inc. (Connexin), a provider of electronic medical records and practice management software, billing services, and business analytic tools to pediatric physician practice groups, is providing notice that an unauthorized third party was able to gain access to an internal computer network. The live electronic medical record was not accessed and the incident did not affect any pediatric practice groups’ systems, databases, or medical records system at all.
On August 26, 2022, Connexin detected a data anomaly on our internal network. We immediately launched an investigation and engaged third-party forensic experts to determine the nature and scope of the incident. On September 13, 2022, we learned that an unauthorized party was able to access an offline set of patient data used for data conversion and troubleshooting. Some of that data was removed by the unauthorized party. The live electronic record system was not accessed in this incident, and the incident did not involve any physician practice group’s systems, databases, or medical records system at all. Connexin is not aware of any actual or attempted misuse of personal information as a result of this event.
The patient information may have included: (1) patient demographic information (such as patient name, guarantor name, parent/guardian name, address, email address, and date of birth); (2) Social Security Numbers (“SSNs”), (3) health insurance information (payer name, payer contract dates, policy information including type and deductible amount and subscriber number); (4) medical and/or treatment information (dates of service, location, services requested or procedures performed, diagnosis, prescription information, physician names, and Medical Record Numbers); and (5) billing and/or claims information (invoices, submitted claims and appeals, and patient account identifiers used by your provider). Please note that not all data fields may have been involved for all individuals. Information of a parent, guardian, or guarantor may also have been impacted by the incident.
Data security is very important to us. As soon as we discovered the incident, we immediately took action to stop the unauthorized activity. This included a password reset of all corporate accounts and moving all patient data used for data conversion and troubleshooting into an environment with even greater security. Connexin also retained a third-party cybersecurity forensic firm to investigate the issue and is working with law enforcement to investigate the incident. In response to this incident, Connexin has enhanced its security and monitoring as well as further hardened its systems as appropriate to minimize the risk of any similar incident in the future.
The enclosed Reference Guide includes additional information on general steps you can take to monitor and protect your child’s personal information. We encourage you to carefully review credit reports and statements sent from providers as well as your insurance company to ensure that all account activity is valid; any questionable charges should be promptly reported to the provider’s billing office, or for insurance statements, to your insurance company.
If your child’s SSN was impacted, Connexin has arranged to offer your child identity monitoring services for a period of one year, at no cost to you, through Kroll (our third party vendor). You have 6 months from the date of your notice letter to activate these services, and instructions on how to activate these services are included in your notice letter.
Individuals who may have been impacted by this event are being mailed notices. Since it is possible there may be insufficient or out-of-date contact information for some individuals whose information was impacted, this notice is also accessible via Connexin’s website at https://www.officepracticum.com/substitute-notice/ and the affected physician practice groups’ websites, consistent with HIPAA.
If you have any questions about this matter or would like additional information, please refer to the enclosed Reference Guide, or call toll-free 855-532-0912. This call center is open from 8:00am – 5:30pm CT, Monday through Friday, excluding some U.S. holidays.
We sincerely regret and apologize that this incident occurred. Connexin takes the security of personal information seriously, and we will continue to work diligently to protect the information entrusted to us.
This notice is being provided on behalf of the following physician practices/practice groups:
|ABC Pediatrics Practice, PC
Academy Pediatrics, PA
Advanced Care Pediatric Centre, PLLC
Alice Tanner, M.D., PC
All Star Pediatrics, LLC
Angel Kids Pediatrics
Arlington Pediatric Partners, PLLC d/b/a Kids Docs Pediatrics
August Pediatrics, PA
Austex Pediatrics, PA
Bristow Pediatrics, PLLC
Cecilia A Nwankwo, M.D. FAAP, PC
Carolina Pediatrics and Adolescent Care, PA
Casey Thomas Mulcihy Austin Texas, PA
Central Coast Pediatrics, Inc.
Children’s Clinic, Ltd.
Children’s Health Center of Columbus, Inc.
Children’s Health of Ocala, PA
Children’s Mercy – Pediatric Partners, Inc.
Children’s Mercy – Shawnee Mission Pediatrics
Children’s Pediatric Center Northside, LLC
Community Pediatrics, SC
Cordova Pediatrics, PLLC
Crockett Kids Pediatrics, PC
Discovery Pediatrics, Inc.
Dr. Michael J Ulich Pediatrics, LLC
Drexel Hill Pediatric Associates, PC
Eastern Carolina Pediatrics, PA
Eastern Shore Children’s Clinic, PC
Ekta Khurana, M.D., PLLC
Emily B. Vigour, M.D., LLC d/b/a Vigour Pediatrics
Ennis Pediatric and Adolescent Health Care, PA
Forest Hill Pediatrics, LLC MD
Fox Pediatrics, PLLC
Fraser-Branche Medical, PLLC
Gaurang Patel, M.D., LLC
Gold Pediatrics, PA
Goldsboro Pediatrics, PA
Goodlettsville Pediatrics, PC
Graham Pediatrics of Woodstock, LLC
Great Bend Children’s Clinic, PA
Harbor Pediatrics, PS
Hatboro Pediatrics, PC
Hawthorne Pediatrics, LLC
Hebron Pediatrics, LLC
Heights Pediatrics, PC
Helena Pediatric Clinic, PC
Holmdel Pediatrics, LLC
Honeygo Pediatrics, LLC
Jackson Pediatric Associates, PA
Jaleh Niazi, M.D., PC d/b/a New Day Pediatrics
James A. Weidman, AMC
Jose F. Alvarado & Associates, PA
Kate Bowers, M.D., PLLC d/b/a Firefly Pediatrics
Kerrville Pediatrics, PLLC
Kids First Pediatric Care, PA
Kids Kare Pediatrics, PLLC
Kids World Pediatrics, LLC
|Kidswood Pediatrics, Inc.
Kidzcare Pediatrics, PC
KION Pediatrics, PLLC
Kressly Pediatrics, PC
Lilac City Pediatrics, PA
Madison Pediatric Associates, PC
Maria Luisa Lira, M.D., PA
Mariano D. Cibran, M.D., Inc. d/b/a St. Petersburg Pediatrics
Maryland Pediatric Care, LLC
Maryvale Pediatric Specialists, LLC
Mayura Madani, M.D., PLLC
McComb Children’s Clinic, Ltd.
Northeast Pediatric Night Clinic, Inc.
Oregon City Pediatrics
Orland Children’s Center, Inc.
Passaic Pediatrics II, PA
Pediatric Associates, PA
Pediatric Associates, PSC
Pediatric Associates of Lawrenceville, LLC
Pediatric Care Center No. 2, Inc.
Pediatric Center for Wellness, PC
Pediatric Health Center of El Paso
Pediatric Healthcare Associates of McKinney
Pediatric Medicine of Cartersville, PC
Pediatric MultiCare West, LLC
Pediatric Physicians of Reston, PC
Pediatrics East, PC
Peds First Pediatrics
Pensacola Pediatrics PA
Petoskey Pediatrics PC
Phillips Pediatrics, PC
Premiere Pediatrics, PLLC
QC Kidz Pediatrics, PLLC
Rachel Z. Chatters, M.D., Inc
Raleigh Group, PC
Rankin Children’s Group, PLLC
Raza Ali, MD, PC
Reading Pediatrics, Inc.
Renaissance Pediatrics, P.C.
Ruth Agwuna, M.D.
Samuel R Williams, M.D., PA
San Marino Pediatric Associates
SchoolCare, Inc. f/k/a CareDox, Inc.
SCS LLC d/b/a Bayshore Pediatrics
Sistema Infantil Teleton USA, Inc. a/k/a CRITS
South River Pediatrics, LLC
Springfield Medical, LLC
Sumter Pediatrics, LLC
Texoma Pediatrics, PLLC
The Pediatric & Adolescent Clinic, Inc.
The Pediatric Center of Frederick, LLC
Thomasville-Archedale Pediatrics, PLLC
Thompson River Pediatrics and Urgent Care, LLC
Valley Children’s Medical Group
Virginia Pediatric Group, Ltd.
Watch Us Grow Pediatrics, PC
We Care Pediatrics, PC
Wee Tots Pediatrics, PA
Westview Pediatric Care, LLC
Zero Pediatrics, PLLC
Review Your Account Statements
Carefully review statements sent to you from providers as well as from your insurance company to ensure that all of your account activity is valid. Report any questionable charges promptly to the provider’s billing office, or for insurance statements, to your insurance company.
Provide any updated personal information to your health care provider
Your health care provider’s office may ask to see a photo ID to verify your identity. Please bring a photo ID with you to every appointment if possible. Your provider’s office may also ask you to confirm your date of birth, address, telephone, and other pertinent information so that they can make sure that all of your information is up-to-date. Please be sure and tell your provider’s office when there are any changes to your information. Carefully reviewing this information with your provider’s office at each visit can help to avoid problems and to address them quickly should there be any discrepancies.
Order Your Free Credit Report
To order your free annual credit report, visit www.annualcreditreport.com, call toll-free at (877) 322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s (“FTC”) website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. The three credit bureaus provide free annual credit reports only through the website, toll-free number or request form.
Upon receiving your credit report, review it carefully. Look for accounts you did not open. Look in the “inquiries” section for names of creditors from whom you have not requested credit. Some companies bill under names other than their store or commercial names; the credit bureau will be able to tell if this is the case. Look in the “personal information” section for any inaccuracies in information (such as home address and Social Security Number).
If you see anything you do not understand, call the credit bureau at the telephone number on the report. Errors may be a warning sign of possible identity theft. You should notify the credit bureaus of any inaccuracies in your report, whether due to error or fraud, as soon as possible so the information can be investigated and, if found to be in error, corrected. If there are accounts or charges you did not authorize, immediately notify the appropriate credit bureau by telephone and in writing. Information that cannot be explained should also be reported to your local police or sheriff’s office because it may signal criminal activity.
How to Activate Kroll Identity Monitoring Services
As a safeguard, we have arranged for you to activate, at no cost to you, in online identity monitoring services provided by Kroll.
To activate this service, please the instructions for activation in your notice letter.
The monitoring included in the membership must be activated to be effective. You have until 6 months from the date of your notice letter to activate these services. Please note that identity monitoring services may not be available for individuals who do not have an address in the United States (or its territories) and a valid Social Security number. Activating this service will not affect your credit score.
We encourage you to take advantage of these protections and remain vigilant for incidents of fraud and identity theft, including regularly reviewing and monitoring your credit reports and account statements.
Contact the U.S. Federal Trade Commission
If you detect any unauthorized transactions in any of your financial accounts, promptly notify the appropriate payment card company or financial institution. If you detect any incidents of identity theft or fraud, promptly report the matter to your local law enforcement authorities, state Attorney General and the FTC.
You can contact the FTC to learn more about how to protect yourself from becoming a victim of identity theft by using the contact information below:
Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, DC 20580
Place a Fraud Alert on Your Credit File
To protect yourself from possible identity theft, consider placing a fraud alert on your credit file. A fraud alert helps protect against the possibility of an identity thief opening new credit accounts in your name. When a credit grantor checks the credit history of someone applying for credit, the credit grantor gets a notice that the applicant may be the victim of identity theft. The alert notifies the credit grantor to take steps to verify the identity of the applicant. You can place a fraud alert on your credit report by calling any one of the toll-free fraud numbers provided below. You will reach an automated telephone system that allows flagging of your file with a fraud alert at all three credit bureaus.
|Equifax||P.O. Box 105069
|Experian||P.O. Box 2002
Allen, Texas 75013
P.O. Box 2000
Chester, PA 19016
You have the right to request a credit freeze from a consumer reporting agency, free of charge, so that no new credit can be opened in your name without the use of a PIN number that is issued to you when you initiate a freeze. A security freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. If you place a security freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze. Therefore, using a security freeze may delay your ability to obtain credit.
Unlike a fraud alert, you must separately place a security freeze on your credit file at each credit bureau. To place a security freeze on your credit report you must contact the credit reporting agency by phone, mail, or secure electronic means and provide proper identification of your identity. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue.
Below, please find relevant contact information for the three consumer reporting agencies:
|Equifax Security Freeze||P.O. Box 105788
Atlanta, GA 30348
|Experian Security Freeze||P.O. Box 9554
Allen, TX 75013
P.O. Box 160
Woodlyn, PA 19094
Once you have submitted your request, the credit reporting agency must place the security freeze no later than 1 business day after receiving a request by phone or secure electronic means, and no later than 3 business days after receiving a request by mail. No later than five business days after placing the security freeze, the credit reporting agency will send you confirmation and information on how you can remove the freeze in the future.
For Residents of the District of Columbia
You may contact the D.C. Attorney General’s Office to obtain information about steps to take to avoid identity theft:
D.C. Attorney General’s Office, Office of Consumer Protection, 400 6th Street, NW, Washington DC 20001, 1-202-442-9828, www.oag.dc.gov.
For Residents of Iowa
You may contact law enforcement or the Iowa Attorney General’s office to report suspected incidents of identity theft. The Iowa Attorney General’s Office can be reached at:
Iowa Attorney General’s Office, Director of Consumer Protection Division, 1305 E. Walnut Street, Des Moines, IA 50319, 1-515-281-5926, www.iowattorneygeneral.gov.
For Residents of Maryland
You may also obtain information about preventing and avoiding identity theft from the Maryland Office of the Attorney General:
Maryland Office of the Attorney General, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, 1-888-743-0023, http://www.marylandattorneygeneral.gov/.
For Residents of Massachusetts
You have the right to obtain a police report with respect to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.
For Residents of New Mexico
New Mexico consumers have the right to obtain a security freeze or submit a declaration of removal.
You may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act.
The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.
The security freeze is designed to prevent credit, loans and services from being approved in your name without your consent. When you place a security freeze on your credit report, you will be provided with a personal identification number, password or similar device to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report to a specific party or parties or for a specific period of time after the freeze is in place. To remove the freeze or to provide authorization for the temporary release of your credit report, you must contact the consumer reporting agency and provide all of the following:
(1) the unique personal identification number, password or similar device provided by the consumer reporting agency;
(2) proper identification to verify your identity; and
(3) information regarding the third party or parties who are to receive the credit report or the period of time for which the credit report may be released to users of the credit report.
A consumer reporting agency that receives a request from a consumer to lift temporarily a freeze on a credit report shall comply with the request no later than three business days after receiving the request. As of September 1, 2008, a consumer reporting agency shall comply with the request within fifteen minutes of receiving the request by a secure electronic method or by telephone.
A security freeze does not apply in all circumstances, such as where you have an existing account relationship and a copy of your credit report is requested by your existing creditor or its agents for certain types of account review, collection, fraud control or similar activities; for use in setting or adjusting an insurance rate or claim or insurance underwriting; for certain governmental purposes; and for purposes of prescreening as defined in the federal Fair Credit Reporting Act.
If you are actively seeking a new credit, loan, utility, telephone or insurance account, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze, either completely if you are shopping around or specifically for a certain creditor, with enough advance notice before you apply for new credit for the lifting to take effect. You should contact a consumer reporting agency and request it to lift the freeze at least three business days before applying. As of September 1, 2008, if you contact a consumer reporting agency by a secure electronic method or by telephone, the consumer reporting agency should lift the freeze within fifteen minutes. You have a right to bring a civil action against a consumer reporting agency that violates your rights under the Fair Credit Reporting and Identity Security Act.
For Residents of New York
You may also obtain information about security breach response and identity theft prevention and protection from the New York Attorney General’s Office:
Office of the Attorney General, The Capitol, Albany, NY 12224-0341, 1-800-771-7755, www.ag.ny.gov.
For Residents of North Carolina
You may also obtain information about preventing and avoiding identity theft from the North Carolina Attorney General’s Office:
North Carolina Attorney General’s Office, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, 1-919-716-6000, www.ncdoj.gov.
For Residents of Oregon
State laws advise you to report any suspected identity theft to law enforcement, as well as the Federal Trade Commission. Contact information for the Oregon Department of Justice is as follows:
Oregon Department of Justice, 1162 Court Street NE, Salem, OR 97301, 1-877-877-9392, www.doj.state.or.us.
For Residents of Rhode Island
You have a right to file or obtain a police report related to this incident. You may also obtain information about preventing and avoiding identity theft from the Rhode Island Office of the Attorney General:
Office of the Attorney General, 150 South Main Street, Providence, RI, 02903, 1-401-274-4400, www.riag.ri.gov.