Notice of Third-Party Security Incident Impacting CHSPSC Affiliate Data

This notice provides information regarding a security incident experienced by Fortra, LLC (“Fortra”), which Fortra reported occurred between January 28, 2023 and January 30, 2023 that resulted in the unauthorized disclosure of personal information. Fortra is a cybersecurity firm that contracts with CHSPSC, LLC (“CHSPSC”) to provide a secure file transfer software called GoAnywhere. CHSPSC is a professional services company that provides services to hospitals and clinics affiliated with Community Health Systems, Inc. (“CHSPSC Affiliates”). You may be affected if you received services at one of the CHSPSC Affiliates, are a family member or guarantor with respect to a patient, or are a current or former employee of CHSPSC Affiliates. For a list of hospitals that are CHSPSC Affiliates and links to their websites to help you determine if you may be affected, please visit please visit https://www.chs.net/serving-communities/locations/#USMap. Please also refer to the FAQs below for additional information about locations and other questions.

Fortra informed us it became aware of the incident the evening of January 30, 2023 and took impacted systems offline on January 31, 2023, stopping the unauthorized party’s ability access the system. According to Fortra, the unauthorized party used a previously unknown vulnerability to gain access to Fortra’s systems, specifically Fortra’s GoAnywhere file transfer service platform, compromising sets of files throughout Fortra’s platform.

CHSPSC received this information from Fortra on February 2, 2023, and immediately began its own investigation of potential impact of the Fortra incident on CHSPSC Affiliate personal information. CHSPSC has determined at this point in its investigation that CHSPSC Affiliate personal information relating to patients, a limited number of employees, and other individuals may have been disclosed to the unauthorized party as a result of the Fortra incident. The personal information may have included full name, address, medical billing and insurance information, certain medical information such as diagnoses and medication, and demographic information such as date of birth and social security number.

Both CHSPSC and Fortra have been in contact with law enforcement, including the Federal Bureau of Investigation (“FBI”) and the Cybersecurity and Infrastructure Security Agency (“CISA”), and are supporting law enforcement’s investigation.

To protect against an incident like this from reoccurring, Fortra informed us that it has deleted the unauthorized party’s accounts, rebuilt the secure file transfer platform with system limitations and restrictions, and produced a patch for the software. CHSPSC has also implemented additional security measures, including immediate steps to implement measures to harden the security of CHSPSC’s use of the GoAnywhere platform.

CHSPSC is making available ID restoration and credit monitoring services for the period required by applicable state law, which will be 24 months, at no cost to you, through Experian to all potentially affected individuals who enroll. For individuals who would like to enroll in these services or who have questions related to this incident, CHSPSC has established a toll-free response line that can be reached at 800-906-7947, and is available Monday through Friday from 8 am – 10 pm Central, or Saturday and Sunday from 10 am – 7 pm Central (excluding major U.S. holidays). If you are interested in enrolling in these services, the deadline to enroll is October 31, 2023. Be prepared to provide your engagement number: adults use B086999 and minors use B087000. You may also enroll online using the instructions provided in our FAQs further below.

This notice also provides other precautionary measures you can take to protect your personal information, including placing a fraud alert and security freeze on your credit files and obtaining a free credit report. Additionally, you should always remain vigilant in reviewing your financial account statements and credit reports for fraudulent or irregular activity on a regular basis. See “What else can you do to protect your personal information?” below.

Please be assured we are committed to protecting personal information. We share your frustration with this security incident, and we apologize for any inconvenience it this may cause you. We are working very hard to limit the impact of the Fortra incident on you. If you have further questions or concerns, please call 800-906-7947. Please refer to hours and engagement numbers above.

What else can you do to protect your personal information?

We recommend you remain vigilant and consider taking the following steps to avoid identity theft, obtain additional information, and protect your personal information:

Order your free credit report at annualcreditreport.com, call toll-free at 877-322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s (FTC) website at www.ftc.gov. When you receive your credit report, review the entire report carefully. Look for any inaccuracies and/or accounts you don’t recognize and notify the credit bureaus as soon as possible in the event there are any. You have rights under the federal Fair Credit Reporting Act (FCRA). These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information.

Place a fraud alert on your credit file. A fraud alert helps protect you against an identity thief opening new credit in your name. With this alert, when a merchant checks your credit history when you apply for credit, the merchant will receive a notice that you may be a victim of identity theft and to take steps to verify your identity. You also have the right to place a security freeze on your credit file. A security freeze generally will prevent creditors from accessing your credit file at the three nationwide credit bureaus without your consent. You can place a fraud alert or request a security freeze by contacting the credit bureaus. The credit bureaus may require that you provide proper identification prior to honoring your request.

• Equifax®
  P.O. Box 740256
  Atlanta, GA 30374
  1-800-525-6285
  www.equifax.com
• Experian®
  P.O. Box 9554
  Allen, TX 75013
  1-888-397-3742
  www.experian.com
• TransUnion®
  P.O. Box 2000
  Chester, PA 19016
  1-800-680-7289
  www.transunion.com

Remove your name from mailing lists of pre-approved offers of credit for approximately six months.

If you aren’t already doing so, please pay close attention to all bills and credit card charges you receive for items you did not contract for or purchase. Review all your bank account statements frequently for checks, purchases, or deductions not made by you. Note that even if you do not find suspicious activity initially, you should continue to check this information periodically since identity thieves sometimes hold on to stolen personal information before using it.

The FTC offers consumer assistance and educational materials relating to identity theft, privacy issues, and how to avoid identity theft. You may also obtain information about fraud alerts and security freezes from the consumer reporting agencies, your state Attorney General, and the FTC. If you detect any incident of identity theft or fraud, promptly report the incident to your local law enforcement authorities, your state Attorney General, and/or the FTC. You can learn more about how to protect yourself from becoming an identity theft victim (including how to place a fraud alert or security freeze) by contacting the FTC at 877.IDTHEFT (1-877-438-4338), or www.ftc.gov/idtheft. The mailing address for the FTC is: Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW Washington, DC 20580.

For District of Columbia Residents: You can obtain additional information about steps to take to avoid identity theft from the Office of the Attorney General for the District of Columbia, 441 4th Street, NW, Washington, DC 200001, 202.727.3400, oag.dc.gov.

For Maryland Residents: You can obtain information about steps you can take to help prevent identity theft from the Maryland Attorney General at: 200 St. Paul Place, Baltimore, MD 21202, 888.743.0023, oag.state.md.us.

For New Mexico Residents: You have rights under the federal Fair Credit Reporting Act (FCRA). These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit see a summary of rights or visit ftc.gov.

In addition, New Mexico consumers may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have the right to place a security freeze on your credit report or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act. For more information about obtaining a security freeze, go to https://consumer.ftc.gov/articles/what-know-about-credit-freezes-fraud-alerts.

For New York Residents: You may also contact the following state agencies for information regarding security breach response and identity theft prevention and protection information: 1) New York Attorney General, 212-416-8433 or https://ag.ny.gov/internet/resource-center; or 2) NYS Department of State’s Division of Consumer Protection, 800-697-1220 or https://dos.ny.gov/consumer-protection.

For North Carolina Residents: You can obtain information about steps you can take to help prevent identity theft from the North Carolina Attorney General at: 9001 Mail Service Center, Raleigh, NC 27699, 1-877-566-7226, ncdoj.gov.

For Rhode Island Residents: You may contact and obtain information from and/or report identity theft to your state attorney general at:

Rhode Island Attorney General’s Office
150 South Main Street
Providence, RI 02903
Phone: 401-274-4400
Website: www.riag.ri.gov

You have the right to obtain a copy of the applicable police report, if any, relating to this incident.

Frequently Asked Questions (FAQs)

Q1: How to sign up for Experian’s® IdentityWorks℠?

To help protect your or your minor’s identity, we are offering a complimentary 24 month membership of Experian’s® IdentityWorks℠. This product provides superior identity detection and resolution of identity theft. To activate this membership and start monitoring your or your minor’s personal information please follow the steps below:

• Ensure that you enroll by: October 31, 2023 (Your code will not work after this date.)
• For Adults, visit the Experian® IdentityWorks℠ website to enroll:
  • Visit https://www.experianidworks.com/plus
  • Provide Activation Code: 79GT7X5Q66
  • Provide your information when prompted
• For Minors, visit the Experian® IdentityWorks℠ website to enroll:
  • Visit https://www.experianidworks.com/minorplus
  • Provide Activation Code:PMSNQG6FZR
  • Provide your or your minor’s information when prompted

If you have questions about the product, need assistance with identity restoration for you or your minor or would like an alternative to enrolling in Experian® IdentityWorks℠ online, please contact Experian’s® customer care team at 800-906-7947 by October 31, 2023. Be prepared to provide engagement number B086999 for adults or B087000 for minors as proof of eligibility for the identity restoration services by Experian®.

A credit card is not required for enrollment in Experian® IdentityWorks℠.

Q2: What are additional details regarding your Experian® IdentityWorks℠ Membership?

A credit card is not required for enrollment in Experian® IdentityWorks℠.

You can contact Experian® immediately regarding any fraud issues, and have access to the following features once you enroll in Experian® IdentityWorks℠:

• Experian® credit report at signup: See what information is associated with your credit file. Daily credit reports are available for online members only.*
• Credit Monitoring: Actively monitors Experian® file for indicators of fraud.
• Internet Surveillance: Technology searches the web, chat rooms & bulletin boards 24/7 to identify trading or selling of your personal information on the Dark Web.
• Identity Restoration: Identity Restoration specialists are immediately available to help you address credit and non-credit related fraud.
• Experian® IdentityWorks℠ ExtendCARE™:You receive the same high-level of Identity Restoration support even after your Experian® IdentityWorks℠ membership has expired.
• Up to $1 Million Identity Theft Insurance**: Provides coverage for certain costs and unauthorized electronic fund transfers.

If you believe there was fraudulent use of your information and would like to discuss how you may be able to resolve those issues, please reach out to an Experian agent at 800-906-7947. If, after discussing your situation with an agent, it is determined that Identity Restoration support is needed, then an Experian Identity Restoration agent is available to work with you to investigate and resolve each incident of fraud that occurred (including, as appropriate, helping you with contacting credit grantors to dispute charges and close accounts; assisting you in placing a freeze on your credit file with the three major credit bureaus; and assisting you with contacting government agencies to help restore your identity to its proper condition).

Please note that this Identity Restoration support is available to you for 24 months from the date of this letter and does not require any action on your part at this time. The Terms and Conditions for this offer are located at www.ExperianIDWorks.com/restoration. You will also find self-help tips and information about identity protection at this site.

* Offline members will be eligible to call for additional reports quarterly after enrolling.

** The Identity Theft Insurance is underwritten and administered by American Bankers Insurance Company of Florida, an Assurant company. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Q3: What are additional details regarding your minor’s Experian® IdentityWorks℠ Membership?

A credit card is not required for enrollment in Experian® IdentityWorks℠.

You can contact Experian® immediately regarding any fraud issues, and have access to the following features once you enroll in Experian® IdentityWorks℠ for your minor:

• Social Security Number Trace: Monitoring to determine whether enrolled minors in your household have an Experian® credit report.Alerts of all names, aliases and addresses that become associated with your minor’s Social Security Number (SSN) on the Experian® credit report.
• Internet Surveillance: Technology searches the web, chat rooms & bulletin boards 24/7 to identify trading or selling of your personal information on the Dark Web.
• Identity Restoration: Identity Restoration specialists are immediately available to help you address credit and non-credit related fraud.
• Experian® IdentityWorks℠ ExtendCARE™: Receive the same high-level of Identity Restoration support even after the Experian® IdentityWorks℠ membership has expired.
• Up to $1 Million Identity Theft Insurance*: Provides coverage for certain costs and unauthorized electronic fund transfers.

If you believe there was fraudulent use of your minor’s information and would like to discuss how you may be able to resolve those issues, please reach out to an Experian® agent at 800-906-7947. If, after discussing your situation with an agent, it is determined that Identity Restoration support is needed, then an Experian® Identity Restoration agent is available to work with you to investigate and resolve each incident of fraud that occurred (including, as appropriate, helping you with contacting credit grantors to dispute charges and close accounts; assisting you in placing a freeze on your credit file with the three major credit bureaus; and assisting you with contacting government agencies to help restore your identity to its proper condition).

Please note that this Identity Restoration support is available to your minor for 24 months from the date of this letter and does not require any action on your part at this time. The Terms and Conditions for this offer are located at www.ExperianIDWorks.com/restoration. You will also find self-help tips and information about identity protection at this site.

* The Identity Theft Insurance is underwritten and administered by American Bankers Insurance Company of Florida, an Assurant company. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.

Q4: Am I affected?

Those with personal information known to be affected will be mailed a letter. For a list of hospitals that are CHSPSC Affiliates and links to their websites to help you determine if you may be affected, please visit https://www.chs.net/serving-communities/locations/#USMap. If you believe you may have been affected, and have not received a letter, we are still able to assist you with enrolling in the complimentary 24 month membership to Experian® IdentityWorks℠ credit monitoring service. Please refer to the instructions in Q1 above.

Q5: Who is CHSPSC?

CHSPSC is a professional services company that provides services to hospitals and clinics affiliated with Community Health Systems, Inc. (“CHSPSC Affiliates”). You may be affected if you received services at one of the CHSPSC Affiliates, or are a family member or guarantor with respect to a patient. For a list of hospitals that are CHSPSC Affiliates and links to their websites to help you determine if you may be affected, please visit https://www.chs.net/serving-communities/locations/#USMap. Please also see the list of entities below CHSPSC Affiliates may be associated with, including formerly owned facilities. If you are uncertain about whether you received services at one of our clinics, ambulatory surgery centers, or other locations, please email us at fortra@chs.net for assistance.

• AllianceHealth Clinton | Clinton, OK (Closed)
• AllianceHealth Durant | Durant, OK
• AllianceHealth Madill | Madill, OK
• AllianceHealth Ponca City | Ponca City, OK
• AllianceHealth Seminole | Seminole, OK (Divested 7/1/2022)
• AllianceHealth Woodward | Woodward, OK
• Bayfront Health St. Petersburg | St. Petersburg, FL (Divested 10/1/2020)
• Bluffton Regional Medical Center | Bluffton, IN
• Bravera Health Brooksville | Brooksville, FL
• Bravera Health Seven Rivers | Crystal River, FL
• Bravera Health Spring Hill | Spring Hill, FL
• Brownwood Regional Medical Center | Brownwood, TX (Divested 10/27/2020)
• Carlsbad Medical Center | Carlsbad, NM
• Carolinas Hospital System | Florence, SC (Divested 3/1/2019)
• Cedar Park Regional Medical Center | Cedar Park, TX
• Chester Regional Medical Center | Chester, SC (Divested 3/1/2019)
• Commonwealth Health Berwick Hospital | Berwick, PA (Divested 12/1/2020)
• Crestwood Medical Center | Huntsville, AL
• Davis Regional Medical Center | Statesville, NC
• DeTar Hospital Navarro | Victoria, TX
• DeTar Hospital North | Victoria, TX
• Dukes Memorial Hospital | Peru, IN
• Dupont Hospital | Fort Wayne, IN
• East Georgia Regional Medical Center | Statesboro, GA
• Eastern New Mexico Medical Center | Roswell, NM
• Flowers Hospital | Dothan, AL
• Gadsden Regional Medical Center | Gadsden, AL
• Grandview Medical Center | Birmingham, AL
• Greenbrier Valley Medical Center | Ronceverte, WV (Divested 1/1/2023)
• Lake Granbury Medical Center | Granbury, TX
• Lake Norman Regional Medical Center | Mooresville, NC
• Lake Wales Medical Center | Lake Wales, FL (Divested 9/1/2019)
• Laredo Medical Center | Laredo, TX
• Lea Regional Medical Center | Hobs, NM (Divested 1/1/2021)
• Longview Regional Medical Center | Longview, TX
• Lower Keys Medical Center | Key West, FL
• Lutheran Downtown Hospital | Fort Wayne, IN
• Lutheran Hospital of Indiana | Fort Wayne, IN
• Lutheran Kosciusko Hospital | Warsaw, IN
• Mat-Su Regional Medical Center | Palmer, AK
• Medical Center Enterprise | Enterprise, AL
• Medical Center of South Arkansas | El Dorado, AR
• Merit Health Biloxi | Biloxi, MS
• Merit Health Central | Jackson, MS
• Merit Health Madison | Canton, MS
• Merit Health Natchez | Natchez, MS
• Merit Health Rankin | Brandon, MS
• Merit Health River Oaks | Flowood, MS
• Merit Health River Region | Vicksburg, MS
• Merit Health Wesley | Hattiesburg, MS
• Merit Health Woman’s Hospital | Flowood, MS
• Metro Knoxville Physicians Regional | Knoxville, TN (Closed)
• Moberly Regional Medical Center | Moberly, MO
• Moses Taylor Hospital | Scranton, PA
• MountainView Regional Medical Center | Las Cruces, NM
• Munroe Regional Medical Center | Ocala, FL (Divested 8/1/2018)
• Navarro Regional Hospital | Corsicana, TX
• North Okaloosa Medical Center | Crestview, FL
• Northern Louisiana Medical Center | Ruston, LA (Divested 7/1/2020)
• Northeast Regional Medical Center | Kirksville, MO
• Northwest Health – La Porte | La Porte, IN
• Northwest Health – Porter | Valparaiso, IN
• Northwest Health – Starke | Knox, IN
• Northwest Health Physicians’ Specialty Hospital, a campus of Siloam Springs Regional Hospital | Fayetteville, AR
• Northwest Medical Center | Fayetteville, AR
• Northwest Medical Center – Bentonville | Bentonville, AR
• Northwest Medical Center – Springdale | Springdale, AR
• Northwest Medical Center – Willow Creek Women’s Hospital | Johnson, AR
• Northwest Medical Center Houghton | Tucson, AZ
• Northwest Medical Center Sahuarita | Sahuarita, AZ
• Oro Valley Hospital | Oro Valley, AZ
• Physicians Regional Medical Center – Collier | Naples, FL
• Physicians Regional Medical Center – North | Naples, FL
• Physicians Regional Medical Center – Pine Ridge | Naples, FL
• Plateau Medical Center | Oak Hill, WV (Divested 4/1/2023)
• Poplar Bluff Regional Medical Center | Poplar Bluff, MO
• Regional Hospital of Scranton | Scranton, PA
• Rehabilitation Hospital of Fort Wayne | Fort Wayne, IN
• San Angelo Community Medical Center | San Angelo, TX (Divested 10/24/2020)
• Santa Rosa Medical Center | Milton, FL
• Shands Lake Shore Regional Medical Center | Lake City, FL (Closed)
• Shands Live Oak Regional Medical Center | Live Oak, FL (Divested 5/1/2020)
• ShorePoint Health – Port Charlotte | Port Charlotte, FL
• ShorePoint Health – Punta Gorda | Punta Gorda, FL
• ShorePoint Health – Venice | Venice, FL (Closed)
• Siloam Springs Regional Hospital | Siloam Springs, AR
• South Baldwin Regional Medical Center | Foley, AL
• Southside Regional Medical Center | Petersburg, VA (Divested 1/1/2020)
• Tennova Healthcare – Newport Medical Center | Newport, TN
• Tennova Healthcare – Clarksville | Clarksville, TN
• Tennova Healthcare – Cleveland | Cleveland, TN
• Tennova Healthcare – Harton | Tullahoma, TN (Divested 1/1/2021)
• Tennova Healthcare – Jefferson Memorial Hospital | Jefferson City, TN
• Tennova Healthcare – LaFollette Medical Center | LaFollette, TN
• Tennova Healthcare – North Knoxville Medical Center | Powell, TN
• Tennova Healthcare – Turkey Creek Medical Center | Knoxville, TN
• The Orthopaedic Hospital of Lutheran Health Network | Fort Wayne, IN
• Tyler Memorial Hospital | Tunkhannock, PA (Consolidated under Regional Hospital of Scranton on 10/1/2021)
• Western Arizona Regional Medical Center | Bullhead City, AZ
• Wilkes-Barre General Hospital | Wilkes-Barre, PA
• Woodland Heights Medical Center | Lufkin, TX

Q6: What specific information was disclosed about me?

The personal information may have included your full name, address, medical billing and insurance information, certain medical information such as diagnoses and medication, and demographic information such as date of birth and social security number.

Q7: What did you do when learning of the incident?

Fortra became aware of the incident the evening of January 30, 2023 and took impacted systems offline on January 31, 2023, stopping the unauthorized party’s ability access the system. Fortra informed CHSPSC of the incident on February 2, 2023, and we immediately began our own investigation which included regular communications with Fortra and efforts to understand the scope of the incident. We also contacted law enforcement.

Q8: Has the intrusion been contained?

Fortra has reported to us that the incident has been contained.

Q9: What are you doing about this so it does not happen again?

To protect against an incident like this from reoccurring, Fortra informed us that it has deleted the unauthorized party’s accounts, reset the secure file transfer platform with system limitations and restrictions, and issued a software patch. CHSPSC has also implemented additional security measures, including immediately applying the patch.

Q10: Have you notified the police?

Both CHSPSC and Fortra have been in contact with law enforcement, including the Federal Bureau of Investigation (“FBI”) and the Cybersecurity and Infrastructure Security Agency, and are supporting law enforcement’s investigation.

Q11: Should I close my bank account?

We do not have any information indicating your bank account information was included in the CHSPSC records involved. However, we still encourage you to sign up for the complimentary 24 month membership to Experian® IdentityWorks℠ credit monitoring service.

Q12: Should I close my credit card or other accounts?

We do not have any information indicating your credit card information was included in the CHSPSC records involved. However, we still encourage you to sign up for the complimentary 24 month membership to Experian® IdentityWorks℠ credit monitoring service.

Q13: What if I don’t want to wait on a letter and want credit monitoring now?

We are happy to provide that for you now. Please refer to the instructions in Q1 above.

Q14: What locations may have been affected?

For a list of hospital locations of CHSPSC Affiliates and links to their websites, please visit https://www.chs.net/serving-communities/locations/#USMap. CHSPSC Affiliates may provide additional information about their locations and providers. Please also see the list of entities in Q5 above CHSPSC Affiliates may be associated with, including formerly owned facilities. If you are uncertain about whether you received services at one of our clinics, ambulatory surgery centers, or other locations, please email us at fortra@chs.net for assistance.