A Notice to our Patients - Adirondacks ACO Incident


Adirondacks ACO, LLC (“Adirondacks ACO”) is an accountable care organization (“ACO”) that consists of various local health care providers, including Glens Falls Hospital. ACO providers coordinate among themselves, and with each individual, to improve the individual’s quality of care. To help accomplish this function, the ACO receives and analyzes patient information pertaining to the services we provide to patients. Regrettably, this notice concerns an incident involving some of that information.

On May 3, 2019, the ACO notified Glens Falls Hospital that it recently discovered unauthorized remote access to an email account assigned to a joint employee of Adirondacks ACO and Champlain Valley Physician’s Hospital (“CVPH”), one of Adirondacks ACO’s partner hospitals. CVPH discovered the incident on March 4, 2019, and immediately secured the email account to prevent any further access and began an investigation. CVPH performed a comprehensive review of the account’s content and determined that emails and/or attachments reflected services performed by Adirondacks ACO related to its member providers and carriers, and included select patient information. The information may have included some patients’ names, dates of birth, Medicare ID numbers or health insurance member numbers, and limited treatment and/or clinical information. In a limited number of instances, patients’ social security numbers were also included in the account.

This incident did not affect all Glens Falls Hospital patients; but only some patients who had information contained in the affected email account.

There is no indication that any patient information was actually viewed or accessed, or that it has been misused. However, the ACO has mailed letters to those patients whose information was identified in the account. The ACO has also established a dedicated call center to answer questions for affected patients. If you believe you are affected but do not receive a letter by July 19, 2019, please call 1-877-347-0178, from 9:00 a.m. to 9:00 p.m. Eastern time, Monday through Friday. The letters provide additional information about how affected patients can protect themselves.

For patients whose Social Security number was contained in the email account, the ACO is offering complimentary credit monitoring and identity protection services. It is also recommended that patients review any billing or explanation of benefits statements they receive from their health care insurers or health care providers. If they see services they did not receive, they should contact the health insurer or provider immediately.

Glens Falls Hospital and the ACO remain committed to protecting the confidentiality and security of our patients’ information. To help prevent something like this from happening in the future, the ACO and CVPH continue to assess systems and implement safeguards to address risks. They are also reinforcing employee training on how to detect and avoid phishing emails.