As a small physician-owned and private medical practice, we have always prioritized providing high-quality care and services, which includes privacy and securing information entrusted to us.
You, a family member, or one of your loved ones may have received a recent letter from QRS, Inc., informing you that your personal records stored on QRS’ server may have been compromised as a result of a data security incident. The letter from QRS is legitimate and related to a recent data security incident.
QRS has been our patient portal company for more than six years. Despite QRS’ safeguards, an unknown and unauthorized third party accessed the patient portal server that QRS hosts, manages, and maintains for us and other medical providers. Upon learning of the incident, QRS immediately took the server offline and began an investigation. They engaged a forensic security firm to confirm the security of their network, analyze the incident and determine the extent of the Protected Health Information (PHI) that may have been accessed or acquired by the third party. The unauthorized access to the server occurred in late August. The PHI accessed for each person varies. The PHI may include one or more items including their name, Social Security number, date of birth, address, and limited medical treatment or diagnosis information.
QRS informed our practice of this breach on September 7, 2021, during the early stages of its investigation, and also chose to keep the affected patient portal offline permanently. Records remain available to our practice, and we continue to provide quality care to our patients. QRS has made subsequent updates using additional information acquired through its investigation. Once QRS had enough information, they worked with our practice to provide our patients with notice of the event.
Like our practice, QRS regrets the situation and its impact on our patients and practice. To safeguard our patient information, we will continue to closely monitor QRS’ remedial actions, which include implementing multi-factor identification on core QRS systems for key administrators and implementing a Security Information and Event Management system (SIEM). QRS also continues to review and update its information security policies for the patient records they hold for our practice. We continue to evaluate our practice’s local system. Again, we regret the unfortunate situation occurring with QRS’ systems.
To get further information, you may call QRS’ toll-free number 855-675-3080 from 9 a.m. – 9 p.m. EST, Monday through Friday or visit.
Please allow our staff to prioritize patient care, appointment setting, and follow-ups while QRS helps you with any concerns you have about this breach and your records. We are sorry for any inconvenience or concern this incident may cause you.
Additional Important Information
As a precautionary measure, we recommend that you remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing your account statements and monitoring credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities, including the police and your state’s attorney general, as well as the Federal Trade Commission (“FTC”).
You may wish to review the tips provided by the FTC on fraud alerts, security/credit freezes and steps you can take to avoid identity theft. For more information and to contact the FTC, please visit www.ftc.gov/idtheft or call 1-877-ID-THEFT (1-877-438-4338). You may also contact the FTC at Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
Credit Reports: You may obtain a free copy of your credit report once every 12 months from each of the three national credit reporting agencies by visiting www.annualcreditreport.com, by calling toll-free 1-877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You can print a copy of the request form at:
Alternatively, you may elect to purchase a copy of your credit report by contacting one of the three national credit reporting agencies. Contact information for the three national credit reporting agencies for the purpose of requesting a copy of your credit report or for general inquiries is as follows:
* Offline members will be eligible to call for additional reports quarterly after enrolling.
** The Identity Theft Insurance is underwritten and administered by American Bankers Insurance Company of Florida, an Assurant company. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions.
Fraud Alerts: You may want to consider placing a fraud alert on your credit report. A fraud alert is free and will stay on your credit report for one (1) year. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any new accounts in your name. To place a fraud alert on your credit report, contact any of the three national credit reporting agencies using the contact information listed above. Additional information is available at www.annualcreditreport.com.
Credit and Security Freezes: You may have the right to place a credit freeze, also known as a security freeze, on your credit file, so that no new credit can be opened in your name without the use of a PIN number that is issued to you when you initiate the freeze. A credit freeze can be placed without any charge and is designed to prevent potential credit grantors from accessing your credit report without your consent. If you place a credit freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze. Therefore, using a credit freeze may delay your ability to obtain credit. Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting company. Since the instructions for how to establish a credit freeze differ from state to state, please contact the three major credit reporting companies as specified below to find out more information:
This notification was not delayed by law enforcement. Individuals interacting with credit reporting agencies have rights under the Fair Credit Reporting Act.
We encourage you to review your rights under the Fair Credit Reporting Act by visiting https://files.consumerfinance.gov/f/documents/bcfp_consumer-rights-summary_2018-09.pdf, or by requesting information in writing from the Consumer Financial Protection Bureau, 1700 G Street N.W., Washington, DC 20552.
Iowa Residents: Iowa residents can contact the Office of the Attorney general to obtain information about steps to take to avoid identity theft from the Iowa Attorney General’s office at: Office of the Attorney General of Iowa, Hoover State Office Building, 1305 E. Walnut Street, Des Moines IA 50319, 515-281-5164.
Maryland Residents: Maryland residents can contact the Office of the Attorney General to obtain information about steps you can take to avoid identity theft from the Maryland Attorney General’s office at: Office of the Attorney General, 200 St. Paul Place, Baltimore, MD 21202, (888) 743-0023, http://www.marylandattorneygeneral.gov/.
New York State Residents: New York residents can obtain information about preventing identity theft from the New York Attorney General’s Office at: Office of the Attorney General for the State of New York, Bureau of Consumer Frauds & Protection, The Capitol, Albany, New York 12224-0341; https://ag.ny.gov/consumer-frauds/identity-theft; (800) 771-7755.
North Carolina Residents: North Carolina residents can obtain information about preventing identity theft from the North Carolina Attorney General’s Office at: North Carolina Attorney General’s Office, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001; 877-5-NO-SCAM (Toll-free within North Carolina); 919-716-6000; www.ncdoj.gov.
Rhode Island Residents: We believe that this incident affected Rhode Island residents. Rhode Island residents can contact the Office of the Attorney general at: Rhode Island Office of the Attorney General, 150 South Main Street, Providence, RI 02903, (401) 274-4400, www.riag.ri.gov. You have the right to obtain any police report filed in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.
Vermont Residents: If you do not have internet access but would like to learn more about how to place a security freeze on your credit report, contact the Vermont Attorney General’s Office at 802-656-3183 (800-649-2424 toll-free in Vermont only).