On February 17, 2024, through alerts on its systems, OA became aware that we were the victim of a criminal cyber-attack. OA discovered the attack within hours after it began and OA’s vendor took immediate steps to try to stop the attack. OA has had continuous access to its systems and was never locked out of its systems.
On February 20 and 21, 2024, the attacker sent three communications claiming to have stolen some of our data and threatening to release the stolen data publically. We promptly took steps to further secure our information systems and investigate the incident, including contacting the FBI and hiring a forensic cybersecurity response firm. As a result of the investigation, it was ultimately determined that the attacker did not view individual documents, but ran programs to exfiltrate (take) some data from OA systems.
While the investigation narrowed down which data might have been taken, it could not definitively determine which specific documents in that subset of data may have been taken. As a result, OA could not rule out the possibility that Protected Health Information (“PHI”) and personal information of OA patients and staff may have been compromised during the attack.
The hacker did not gain access to the OA medical records system. For the vast majority of individuals, the information impacted included billing records and did not include Social Security numbers or driver’s license numbers. This billing information included first and last name, OA medical record number, a code related to the services provided, date(s) of service, treating physician name, appointment location, dollar amount of charges and name of insurance company. For some individuals, potentially impacted information may have included Social Security number, driver’s license number, address, email address, telephone number, date of birth, appointment schedules, referral forms, or insurance plan numbers. For OA staff, potentially impacted information could also have included bank account and payroll information. OA has mailed notification letters to all potentially affected individuals and each letter will describe the type of information potentially impacted, which is specific to the individual.
OA takes the protection of information seriously. In addition to engaging a cybersecurity response firm, OA promptly took (and continues to take) other actions to further protect its patients, staff, and systems post-incident, including implementing additional security measures. OA continues to monitor the situation closely. OA’s cybersecurity firm has been monitoring the dark web, and at the time of this notification letter, no evidence has been found of any OA documents.
We encourage OA patients and staff to be vigilant in reviewing any types of financial account, insurance statements, and credit reports for fraudulent or irregular activity. Some specific steps individuals can take to protect their personal data are available below.
If you were only a patient of OA Facial Plastics, none of your information was involved. The attacker had no access to any OA Facial Plastics data.
If you have any questions or need assistance, please call (866) 528-6375 between 9:00 AM to 6:30 PM EDT Monday through Friday, excluding federal holidays.
Protecting Your Personal Data
Under U.S. law, an individual is entitled to one free credit report annually from each of the three major credit reporting bureaus: Equifax, Experian, and TransUnion. To order your free credit report visit www.annualcreditreport.com or call toll-free, 1-877-322-8228. You may also directly contact the three major credit reporting bureaus listed below to request a free copy of your credit report.
Individuals can place a “Fraud Alert” for one year at no cost. Should you wish to place a fraud alert, please contact any one of the three major credit reporting bureaus listed below.
Individuals also have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. You may place a security freeze on your credit report by sending a request in writing, by mail, to all three nationwide credit reporting agencies, listed below.
Should you wish to place a fraud alert or credit freeze, please contact the three major credit reporting bureaus listed below:
Equifax
https://www.equifax.com/personal/credit-report-services/
Equifax Fraud Alert
P.O. Box 105069
Atlanta, GA 30348-5069
Equifax Credit Freeze
P.O. Box 105788
Atlanta, GA 30348-5788
Experian
https://www.experian.com/help/
Experian Fraud Alert
P.O. Box 9554
Allen, TX 75013
Experian Credit Freeze
P.O. Box 9554
Allen, TX 75013
TransUnion
https://www.transunion.com/credit-help
TransUnion Fraud Alert
P.O. Box 2000
Chester, PA 19016
TransUnion Credit Freeze
P.O. Box 160
Woodlyn, PA 19094