Data Security Incident

r

Notice of Data Security Incident

Healthcare technology services company QRS, Inc. (“QRS”) recently discovered that it was the victim of a cyber-attack that involved the personal information, including the health information, of some of its clients’ patients. Although QRS is not aware of any identity theft or fraud to any person as a result of this incident, it is notifying the potentially affected patients on behalf of its clients to advise them about the steps QRS has taken to investigate the incident and provide them with guidance about monitoring their information.

Among other services, QRS hosts the electronic patient portal for certain healthcare providers. On August 26, 2021, QRS discovered that a cyber-attacker accessed one QRS dedicated patient portal server and may have acquired certain personal information stored on that specific server. Upon discovering the attack, QRS immediately took the server offline, began an investigation, and notified law enforcement. QRS also engaged a forensic security firm to confirm the security of its network, analyze the incident, and determine the extent of the personal information that may have been accessed or acquired by the third party. The investigation determined that the attacker accessed the single server from August 23, 2021, to August 26, 2021. During this time, the attacker accessed, and may have acquired, files on the server that contained certain individuals’ personal information. The information may have included, depending on the individual, their name, address, date of birth, Social Security number, patient identification number, portal username, and/or medical treatment or diagnosis information. This attack did not involve any other QRS systems or the systems of any of QRS’s clients.

QRS notified its clients of the incident and worked with its clients to notify their potentially affected patients, as quickly as possible. On October 22, 2021, on behalf of QRS’s clients, QRS began sending written notifications to individuals whose personal information was accessed by the attacker and for whom QRS has contact information. QRS, on behalf of its clients, also arranged for complimentary identity theft protection services for those individuals whose Social Security numbers were involved in the incident.

Individuals should refer to the notice they will receive in the mail regarding steps they can take to protect themselves. Again, there is no indication of any identity theft or fraud occurring as a result of this incident, however, as a precautionary measure, potentially affected individuals should remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing their account statements and monitoring credit reports closely. If individuals detect any suspicious activity on an account, they should promptly notify the financial institution or company with which the account is maintained. They should also promptly report any fraudulent activity or any suspected identity theft to proper law enforcement authorities, including the police and their state’s attorney general. Individuals may also wish to review the tips provided by the Federal Trade Commission (“FTC”) on fraud alerts, security/credit freezes and steps that they can take to avoid identity theft. For more information and to contact the FTC, please visit www.ftc.gov/idtheft or call 1-877-ID-THEFT (1-877-438-4338). Individuals may also contact the FTC at: Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.

QRS deeply regrets any concern or inconvenience this incident may cause. QRS is taking steps to investigate the attack and assess and address the risk of a similar incident occurring in the future. QRS is providing a dedicated confidential, toll-free inquiry line at 855-675-3080 from 9:00 a.m. to 9:00 p.m. Eastern, Monday through Friday which potentially affected individuals may contact for additional information.

Skip to content