AMEDISYS, INC.
BATON ROUGE, La., March 3, 2015 - As part of its commitment to ensure the appropriate protection of health information, Amedisys Inc. (NASDAQ: AMED), a leading home health and hospice company, is reporting the results of an extensive risk management process to locate and verify its large computer inventory. The process identified approximately 142 encrypted computers and laptops for which reports are required under federal and state data privacy laws.
Amedisys has no indication of external hacking into its network, and no evidence that any patients or former patients have suffered any actual harm. Amedisys is reporting these computers as required under applicable law and in an abundance of caution because it cannot rule out unauthorized access to patient data on the devices.
"The confidentiality and security of patient information has been and will remain a top priority for Amedisys," says Jeffrey Jeter, Chief Compliance Officer at Amedisys. "We have worked actively with leading risk management and technology experts to inventory and assess devices that may contain personal or health information and ensure the integrity of our information security systems." As a part of its process, Amedisys engaged Booz Allen Hamilton to assess and enhance its security and inventory systems and practices to ensure the protection of sensitive patient information.
All Amedisys devices are robustly protected with 256-bit disk encryption, administrator restrictions, and several other security protections designed to safeguard the personal and medical information of the Company's patients. Depending on the device, this information may have included any or all of the following: name, address, Social Security number, date of birth, insurance ID numbers, medical records and other personally identifiable data.
The devices at issue were originally assigned to Amedisys clinicians and other team members who left the company between 2011 and 2014, and represent approximately .3% of the total number of devices that were used at Amedisys during that time period. For any device that could not be verified through Amedisys' inventory management process as of February 23,
2015, Amedisys is notifying the U.S. Department of Health and Human Services, state agencies, and approximately 6,909 individuals whose information may be involved.
Potentially impacted individuals are being offered identity theft protection services, including credit monitoring, to protect against any possible harm that could arise from the incident. In addition to monitoring their financial statements for unusual activity, affected individuals
should also carefully review communications from Amedisys and contact the Company with any questions.
Amedisys understands that the Office of Civil Rights, U.S. Department of Health and Human Services ("OCR"), will review the Company's compliance with applicable laws, as is typical for any data breach involving more than 500 individuals. Once such a review, or any other regulatory review, is formally commenced, the Company intends to cooperate with OCR and any other applicable regulatory authorities.
Further information is available at www.Amedisys.com/Securityor by calling 1-855-205-6937.
# # #
smh@thinkrevivehealth.com
Kendra Kimmons (225) 299-3720 kendra.kimmons@amedisys.com
david.castille@amedisys.com
2
|
distributed by
|
