Yale Medicine has discovered a cybersecurity incident, involving the records of patients seen by Dr. Tito Vasquez at his former practice, Connecticut Plastic Surgery Group LLC, between 2009 and May 2021. This notice concerns a data security event that may have resulted in unauthorized access to patient information.
As background, Yale Medicine acquired the private practice of Dr. Tito Vasquez in May 2021. All medical records after that date have been securely stored in Yale’s medical record system and were not affected by this incident. Before May 2021, Dr. Vasquez’s practice maintained a different medical record system on its own computer.
What Happened. On September 12, 2022, Yale Medicine learned that an unauthorized third party accessed a computer and installed malicious software that rendered files on the computer inaccessible. The unauthorized access to the computer began on or about August 11, 2022. Based on our cybersecurity investigation, we cannot rule out the possibility that, as a result of this incident, files containing some patient information may have been subject to unauthorized access.
What Information was Involved. For some patients, only basic information, such as name and mailing or email address, was involved. For others, the information may have included visit notes, photographs, Social Security number, date of birth, driver’s license number, insurance information, and credit card numbers. Only information provided to Dr. Vasquez’s office before May 2021 was affected. If you provided information to Dr. Vasquez’s office after May 2021 or were seen at other Yale practices, that information was not affected.
Please be assured that at this time, we have no information indicating that any patient information was misused or shared, and the incident did not involve the records of any other Yale Medicine practices.
What We Are Doing. We are committed to providing quality care, including protecting patient information. We have policies and procedures to help ensure the confidentiality, integrity, and security of patient information. We are conducting an in-depth investigation into the incident and are taking steps to help reduce the possibility of a similar event occurring in the future, including reviewing computer security at Yale Medicine practice groups and improving procedures for securing computers owned by practices that join Yale Medicine.
Yale is notifying affected patients by mail. If patients who provided information to Dr. Vasquez’s practice before May 2021 have not received a letter from us, it may be because we do not have up-to-date contact information for them. Yale has set up a dedicated call center, run by Kroll, for patients to call with questions. Patients who believe they are affected but do not receive a letter by November 25, 2022, should call 855-926-1375, Monday through Friday between 9:00 a.m. and 6:30 p.m. Eastern Time, excluding major U.S. holidays.
What You Can Do. Yale does not have any evidence that anyone has suffered identity theft as a result of this incident. However, we encourage affected individuals to actively monitor for the possibility of fraud and identity theft by reviewing their credit report for any unauthorized activity. In addition, the notification letters we have sent to affected individuals provide additional steps they can take to protect themselves, including instructions for enrollment in a complimentary identity monitoring services.