SUBSTITUTE (WEBSITE) NOTICE

BREACH ANNOUNCEMENT

The Centers for Advanced Orthopaedics (CAO) values our relationship with patients and those employees (and their dependents) enrolled in CAO’s health plan. This notification informs those individuals of a data security incident that may have affected their protected health information.

WHAT HAPPENED?

On September 17, 2020, CAO identified unusual activity in its email environment. After discovering the unusual activity, CAO immediately launched an investigation, with the assistance of cybersecurity experts, into the nature and scope of the incident. As part of this investigation, CAO determined that multiple employee email accounts were subject to unauthorized access between October 2019 and September 2020, and that certain emails therein were accessible to the responsible cybercriminal as a result. Following this discovery, CAO launched an extensive and thorough data mining effort to identify potentially affected individuals.

WHAT INFORMATION WAS INVOLVED?

On January 25, 2021, CAO determined that protected health information was contained in emails accessible to the cybercriminal. Please note the actual protected health information affected varies by individual and CAO cannot confirm whether this protected health information was actually accessed or acquired by the responsible cybercriminal.

For patients: For most patients, this protected health information consists of medical diagnosis and treatment information and date of birth. For a subset of patients, however, accessible protected health information also includes one or more of the following: Social Security number, driver’s license number, passport number, financial account information, payment card information, or email/username and password.

For employees and dependents: For most employees and dependents, this protected health information consists of date of birth, medical diagnosis and treatment information, Social Security number, and driver’s license number. For a subset of employees and dependents, however, accessible protected health information also includes one or more of the following: passport number, financial account information, payment card information, or email/username and password.

WHAT CAO IS DOING.

CAO began mailing notification letters on March 25, 2021 to those whom CAO had a valid mailing address. In addition, CAO is reviewing its policies and procedures, assessing its security infrastructure, and implementing additional safeguards to better protect against an incident like this from happening again in the future. CAO has also provided notice of this incident the U.S. Department of Health and Human Services, the consumer reporting agencies, and certain state regulators as required.

WHAT YOU CAN DO.

While CAO is unaware of any actual or attempted misuse of protected health information as a result of this incident, CAO nevertheless encourages individuals to review credit reports, health account statements, health insurance account records, and explanation of benefits forms for suspicious activity, and report all suspicious activity to the institution that issued the record immediately. CAO also encourages individuals to enroll in the complimentary credit monitoring and identity restoration services being offered by CAO. Individuals can refer to their notification letter for enrollment instructions and additional recommendations.

FOR MORE INFORMATION.

CAO has established a dedicated toll-free call center to answer any questions you may have. For questions, please call (866) 578-5413, Monday through Friday, between 9:00am and 11:00pm EST, and Saturday and Sunday, between 11:00am and 8:00pm EST. Be prepared to provide engagement number B009647 when you call.

If you did not receive a letter, but would like to know if you were impacted, please contact the call center.