Hospital Español Auxilio Mutuo de Puerto Rico, Inc. is posting this substitute notice to provide customers and individuals with information about the data security incident experienced by our organization that may have involved their information as described below. We take privacy and security very seriously and are providing notice about the incident, steps you can take to help protect your information, and the opportunity to enroll in complimentary credit monitoring services.

What Happened: On September 23, 2023, the Department of Homeland Security informed Hospital Español Auxilio Mutuo de Puerto Rico, Inc. that our systems could be the target of a cyberattack. Immediately upon receiving this notice, we initiated our incident response plan, retained legal counsel, and engaged outside IT experts (through counsel) in cyber incident response. On November 21, 2023, our initial investigation identified evidence consistent with unauthorized access to certain systems, but was unable to conclude the extent, if any, of data misuse or exfiltration.

In an attempt to further determine the extent of the incident, we launched a second investigation, and on May 15, 2024, our preliminary findings identified unauthorized activity on Auxilio Mutuo’s systems. Although ultimately inconclusive, on September 24, 2024, a comprehensive review of available evidence by internal and external IT experts limited the potentially affected patients to those who visited our facility between August 2022 and September 2023.

Although there is no evidence at this time to affirmatively conclude that personal and health information has been exfiltrated by this incident, out of an abundance of caution, we are providing this notice and steps you can take to protect personal information.

What Information Was Involved:The information potentially impacted includes your first and last name, in combination with the following data element(s):

• Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
• Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
• Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or Other personal information such as Social Security numbers, driver’s license or state ID numbers, or passport numbers.

What We Are Doing:Upon learning of the incident, we took immediate steps to address it, including securing our systems. We also retained legal counsel and engaged outside forensic specialists to assist with determining the nature and scope of the incident as outlined above. We have taken steps to strengthen our network systems to reduce the risk of a similar incident occurring in the future. We also are providing you with an opportunity to enroll in Medical Shield Pro and Equifax WebDefend services at no cost to you. These services provide you with alerts for 12 months from the date of enrollment. These services will be provided by CyEx and Equifax respectively, both companies specialize in fraud assistance and remediation services. Instructions about how to enroll in these services and additional resources available to you are included in the enclosed “Steps You Can Take to Help Protect Your Information.”

What You Can Do: To date, we are not aware of any reports of identity fraud or improper use of your personal or health information as a result of this incident. Nor do we have any indication that your personal or health information has been or is threatened to be misused. However, it is always prudent for persons to remain vigilant against incidents of identity theft and fraud by reviewing your credit reports and account statements for suspicious activity and to detect errors. If you discover any suspicious or unusual activity on your accounts, please promptly contact the financial institution or company. We have provided additional information below, which contains more information about steps you can take to help protect yourself against fraud and identity theft, as well as credit monitoring enrollment instructions.

For More Information: Should you have any questions or concerns, please contact our dedicated assistance line at 1- 877-721-5315 between the hours of 9:00 a.m. and 9:00 p.m. Eastern Standard Time, Monday through Friday for assistance. Please know that the security of information is of the utmost importance to us. We stay committed to protecting your trust in us and continue to be thankful for your support during this time.

Sincerely,
Jorge J. Velez Gutierrez
General Counsel
Hospital Español Auxilio Mutuo de Puerto Rico, Inc

Enrollment Instructions

Medical Shield Pro
If you need assistance with the enrollment process or have questions regarding Medical Shield, please call Medical Shield directly at 866.622.9303.

Equifax WebDefend

Key Features

• Equifax WebDetect internet scanning alerts you if your information is found on websites used by fraudsters
• Equifax Social Scan searches social media sites and reports on fraud risks of information you may be sharing

Enrollment Instructions

If you currently have, or have previously had an Equifax service, you will not be able to register online.
Please contact Equifax Customer Care team Monday – Friday 9am – 5pm GMT at +44 (0)800 587 1584 or outside of the UK at +442037885496.

Monitor Your Accounts and Credit Reports

We encourage you to remain vigilant against incidents of identity theft and fraud by reviewing your credit reports/account statements and explanation of benefits forms for suspicious activity and to detect errors. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit reporting bureaus, TransUnion, Experian, and Equifax. To order your free credit report, visit www.annualcreditreport.com or call 1-877-322-8228. Once you receive your credit report, review it for discrepancies and identify any accounts you did not open or inquiries from creditors that you did not authorize. If you have questions or notice incorrect information, contact the credit reporting bureau.

You have the right to place an initial or extended “fraud alert” on a credit file at no cost.  An initial fraud alert is a one- year alert that is placed on a consumer’s credit file.  Upon seeing a fraud alert, a business is required to take steps to verify the consumer’s identity before extending new credit.  If you are a victim of identity theft, you are entitled to an extended fraud alert lasting seven years.  Should you wish to place a fraud alert, please contact any of the three credit reporting bureaus listed below.

As an alternative to a fraud alert, you have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without your express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a credit freeze may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report.  To request a credit freeze, you should provide the following information:

1. Full name (including middle initial as well as Jr., Sr., III, etc.);
2. Social Security number;
3. Date of birth;
4. Address for the prior two to five years;
5. Proof of current address, such as a current utility or telephone bill;
6. A legible photocopy of a government-issued identification card (e.g., state driver’s license or identification card); and A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft, if you are a victim of identity theft.

Should you wish to place a fraud alert or credit freeze, please contact the three major credit reporting bureaus listed below:

Additional Information

You can further educate yourself regarding identity theft, fraud alerts, credit freezes, and the steps you can take to protect your personal information by contacting the credit reporting bureaus, the Federal Trade Commission (FTC), or your state Attorney General. The FTC also encourages those who discover that their information has been misused to file a complaint with them. The FTC may be reached at 600 Pennsylvania Ave. NW, Washington, D.C. 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261.

You have the right to file a police report if you ever experience identity theft or fraud.  Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement, your state Attorney General, and the FTC. This notice has not been delayed by law enforcement. For D.C. residents, the District of Columbia Attorney General may be contacted at 441 4th Street NW #1100, Washington, D.C. 20001; 202-727-3400, and https://oag.dc.gov/consumer-protection.

For Maryland residents, the Maryland Attorney General may be contacted at Office of the Attorney General, 200 St. Paul Place, Baltimore, MD 21202; 1-888-743-0023; or www.marylandattorneygeneral.gov.

For New Mexico residents, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act: (i) the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; (ii) the consumer reporting agencies may not report outdated negative information; (iii) access to your file is limited; (iv) you must give consent for credit reports to be provided to employers; (v) you may limit “prescreened” offers of credit and insurance you get based on information in your credit report; (vi) and you may seek damages from violators.  You may have additional rights under the Fair Credit Reporting Act not summarized here.  Identity theft victims and active-duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act.  We encourage you to review your rights pursuant to the Fair Credit Reporting Act by visiting https://files.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf, or by writing Consumer Response Center, Room 130-A, FTC, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.

For New York residents, the New York Attorney General may be contacted at Office of the Attorney General, The Capitol, Albany, NY 12224-0341; 1-800-771-7755; or https://ag.ny.gov.

For North Carolina residents, the North Carolina Attorney General may be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; 1-877-566-7226 or 1-919-716-6000; and www.ncdoj.gov.

For Oregon residents, the Oregon Attorney General may be contacted at Oregon Department of Justice, 1162 Court St. NE, Salem, OR 97301-4096; 1-877-877-9392; and https://doj.state.or.us/consumer-protection/.

For Rhode Island residents, the Rhode Island Attorney General may be contacted at 150 South Main Street, Providence, RI 02903; 1-401-274-4400; and www.riag.ri.gov.  Under Rhode Island law, you have the right to obtain any police report filed in regard to this incident.