Hilltop Health Services Notifies Individuals of Possible Data Security Incident

GRAND JUNCTION, COLORADO – December 13, 2019 – Hilltop Health Services has become aware of a data security incident that may have resulted in unauthorized access to patient information. At this time, there is no evidence of any attempted or actual misuse of any patient information. However, we are notifying any patient whose information may have been accessed in order to provide details of the incident, our response to the incident, and resources to help protect any patients in the event they were affected. Your trust is a top priority at Hilltop, and we sincerely apologize for any inconvenience or concern this incident may cause you.

On August 23, 2019, we discovered that one of our employee’s email accounts was potentially subject to unauthorized access. We immediately notified our information technology team, who undertook an investigation and found additional evidence suggesting that certain employee email accounts were accessed by unknown unauthorized parties. Subsequently, we engaged an industry-leading computer forensic firm to investigate the nature and extent of the unauthorized access to our email system. The investigation identified certain employee email accounts that were potentially accessed by unauthorized parties as a result of a presumed phishing campaign targeting our employees.

On November 16, 2019, after a search of the contents of the affected email accounts, we discovered that the accessed email accounts may have contained patient information about some of our current and former patients including patients’ first and last names in combination with one or more of the following attributes: protected health information, Social Security numbers, and health insurance information. The incident was limited to our Family Resource Center and Residential Youth Services program. Once again, we have no evidence of misuse of anyone’s information as a consequence of this incident. Nonetheless, we are informing our patients of this incident out of an abundance of caution.

In light of this incident, we are offering complimentary identity theft restoration and credit monitoring services through Kroll to help protect any impacted current and/or former patients for one year. If you think your information may be at risk, please call 877-514-0832 Monday through Friday, 7:00 am to 4:30 p.m. Mountain Time.

At Hilltop, we take data privacy and security very seriously and are actively taking steps to guard against something like this from happening again. Such steps include, but are not limited to, enabling multi-factor authentication for access to all employee email accounts, conducting additional education and training for all staff members regarding how to identify and prevent malicious emails and phishing campaigns, including launching KnowBe4® Training, and working with government agencies where applicable. We have and will continue to proactively invest our resources to improve our data protection capabilities. We sincerely regret any inconvenience or concern that this matter may cause you and remain dedicated to ensuring the privacy and security of all information in our control.

Carter Bair
Chief Financial Officer and Security Officer
Hilltop Health Services