On April 3, 2023, South Suburban Surgical Suites, LLC (South Suburban) discovered that an unauthorized third party gained access to a legacy Microsoft Office 365-hosted business email account through phishing. “Phishing” occurs when an email is sent that looks like it is from a trustworthy source, but it is not. The phishing email prompts the recipient to share or give access to certain information. Upon discovery, South Suburban immediately took action to prevent any further unauthorized activity, began an investigation, and a leading security firm was engaged. On May 1, 2023, South Suburban learned that this incident may have involved personal information. Based on the investigation, the unauthorized party was able to access the business email account between February 20, 2023 and April 3, 2023. This email account is separate from South Suburban’s internal network and systems, which were not affected by this incident. Through the review, which was completed on June 5, 2023, South Suburban determined that personal information of affected individuals was in the impacted business email account.
Personal information involved in this incident may have included one or more of the following elements: (1) information to identify the individual (such as full name, address, and date of birth); (2) Social Security number, driver’s license/state ID number, passport number, credit card information, and/or financial account information; (3) medical and/or treatment information (such as medical record number, dates of service, provider, diagnosis or procedure information, and prescription/medication); (4) health insurance information (such as payor name and subscriber/Medicare/Medicaid number); and (5) billing and claims information. Please note that not all data elements were involved for all individuals.
South Suburban takes privacy and security very seriously. As soon as South Suburban discovered the incident, it immediately took action to prevent any further unauthorized activity, including resetting the user password for the business email account where unauthorized activity was detected and blocking malicious IP addresses and URLs. South Suburban has enhanced and continues to enhance its security controls and monitoring practices as appropriate to minimize the risk of any similar incident in the future, and it has retired the legacy environment in which the incident occurred.
South Suburban is providing additional information on general steps individuals can take to monitor and protect their personal information in Additional Resources at the top of this page. Individuals should carefully review credit reports and statements sent from healthcare providers and financial institutions as well as their insurance company to ensure that all account activity is valid. Any questionable charges should be promptly reported to the company which maintains the account. For individuals whose Social Security number, driver’s license/state ID number, passport number, credit card information, and/or financial account information may have been involved, South Suburban has arranged to offer free credit monitoring and identity restoration services to these individuals.