Information about BST Security Incident Involving CCP Data

You may have received a letter from BST, CCP’s accounting firm, notifying you of a security incident they experienced that affected some of CCP’s patients. Visit this page to learn more about what happened, who was potentially affected, what information was involved, and what was done in response to the incident.

Information about BST Security Incident Involving CCP Data

BST & Co. CPAs, LLP (BST), an accounting firm in the Albany area, was the victim of a ransomware attack, a computer virus, that encrypted files on its computer network without authorization and prohibited access to those files. On this network was data for some of BST’s local clients to whom the company provides accounting and tax services, including Community Care Physicians (CCP). Luckily, BST was quickly able to restore all the files from its backups and maintained the integrity of the files, as well. This is good news; however, there was an unauthorized intrusion into BST’s network that contained Community Care Physicians’ data. Out of an abundance of caution, BST is providing notice of the event to potentially impacted individuals (letter in the mail from BST), to the media, and to certain regulators, and they have put measures in place to make sure this doesn’t happen again.

CCP takes our patients’ security and privacy very seriously. It’s important to know this was not a Community Care Physicians incident. Our patients’ data remains secure with CCP. BST immediately addressed the incident and it was successfully handled. The data involved wasn’t the most sensitive type of data.  It didn’t include EMR data, financial information or social security numbers, or even addresses. So that’s a very good thing. We also have no evidence that any of this data was accessed or used by anybody.


What happened? 

On December 7, 2019, BST learned that part of its network was infected with a virus that prohibited access to its files.  BST quickly restored its systems and engaged an industry-leading forensic investigation firm to determine the nature and scope of this incident. After a thorough analysis of all available forensic evidence, the investigation determined the virus was active on BST’s network from December 4, 2019, to December 7, 2019. The virus was introduced by an unknown individual or individuals outside of BST who gained access to part of the network where certain client files are stored, including files from CCP.

Because of the risk that data may have been accessed, acquired, or otherwise disclosed from its network without authorization due to the virus, BST reviewed the files in detail to determine what, if any, personal health information they contained. By February 5, 2020, in conjunction with CCP, BST confirmed the files contained some personal information for certain individuals and ascertained the addresses of these patients to communicate the security incident to them directly.


Who should individuals contact for more information?

If individuals have questions or would like additional information, they may call BST’s dedicated assistance line at 866-977-0784 (toll free), Monday through Friday, 9:00 a.m. to 9:00 p.m., Eastern Time.


Who is BST and why do they have Community Care Physicians’ data?

BST is a multi-disciplinary accounting, tax and advisory firm headquartered in Albany, NY. It has many clients across the area, including the medical group, Community Care Physicians. Just like how many people need to share their financial information with an accountant to do their taxes, CCP has to share financial information that may contain patient information with our accountant, BST.  BST doesn’t use your information in connection with any other purpose other than for tax/accounting reasons. 


How did BST discover the incident?

On December 7, 2019, BST learned that some files on its system had been encrypted.  It immediately began investigating the nature and source of the encryption and learned that BST was a victim of a ransomware attack.

How do I know if I was affected?

If your data was part of the CCP file on the BST network, you would have received a letter from BST at your address on file with CCP. Letters were sent Friday, February 14, 2020. Again, we want to stress that we have no evidence that any of this data was accessed or used by anybody. Patients should give the letter a few days to get to them. This letter has all the details about what occurred, and also information about the complimentary services that BST is making available to those affected who may want to monitor their identity.


What type of data is involved? 

We want to reassure you that the information included isn’t the most sensitive data, such as financial information, bank account numbers, social security numbers, or medical diagnoses. Instead, the information that may have been exposed includes name, date of birth, billing codes, insurance description (A definition of the billing / CPT code), and medical record number.  A medical record number is a randomly assigned internal number used by CCP and doesn’t tie to any other personal information.


Do I need to get a new insurance card?

No. The insurance description contained in the data is just a general description of the billing code/ CPT code.  Your account number for your insurer was not involved. 


Why is BST communicating the incident and not CCP?

BST communicated the incident because their network was the one affected and they were the victim of the ransomware attack; it occurred on BST’s network where it stores client files, including files from Community Care Physicians.


Do you know whether any unauthorized person received personal information?

No.  BST’s investigation did not confirm that an unauthorized individual obtained your personal information.  However, to mitigate risk, BST is offering one year of identity monitoring without cost to potentially affected individuals.


What is BST doing in response to the event?

BST takes this incident very seriously. BST provided a letter to every CCP patient whose data may have been affected and offered identity monitoring services without cost to potentially affected individuals for one year.


What is BST doing to prevent similar events from happening in the future?

We again just want to stress that CCP’s systems were not affected and your data remains secure with CCP. The fact that one of our business partners experienced an incident like this is taken very seriously. BST is taking steps to minimize the potential for unauthorized access to their environment and making reasonable efforts to ensure the continued security of your information.


How many people were affected?

This did not affect all of CCP's patients, but it is considered a “major breach” because more than 500 individuals were affected.


What if an individual becomes aware of unusual account or credit report activity, or suspects he or she has recently become a victim of identity theft?

Please contact local law enforcement and give them details about any suspicious incidents.


I received a letter in the mail.  Is this fraudulent, a scam, or a real incident?

Federal and state law require that BST notifies you by mail.  We can assure you that this incident did occur, and we are offering the support identified within the notification letter.  We encourage letter recipients to take advantage of their Equifax credit monitoring offer.


I did not receive a letter in the mail. What does this mean?

If you did not receive a letter, it is because we have no information to suggest that any of your personal information was potentially impacted at this time. You to call the patient call line that is set up – 866-977-0784 — and they can verify your data wasn’t potentially accessed. You can call Monday-Friday 9am to 9pm.


What can individuals do now to protect themselves and their personal information?

We recommend you remain alert to potential misuses of your personal information and we recommend you take proactive steps to protect yourself from any unwanted use of your information that may occur as a result of this incident if you were one of our patient’s affected.

While the forensic investigation could not conclude that any of our patients’ protected health information was accessed or acquired by an unauthorized individual, out of concern for you, BST is providing any patient affected with one year of identity monitoring at no cost to you to allow you to take steps to protect your personal information, if you feel it is appropriate to do so.

Take a look at your letter. Under the “Additional Resources” section, there is detailed guidance on how to protect your information and what to do if you believe your information is being misused.


I received a bill from CCP recently. Was this tied to the security incident?

No. If you recently received an invoice from CCP regarding an outstanding balance on your account, we assure you that the invoice is valid, and the invoice was not sent to you as a result of the data incident that occurred at BST. 


Remember the patient call line you can use for any questions.

If individuals have questions or would like additional information, they may call BST’s dedicated assistance line at 866-977-0784 (toll free), Monday through Friday, 9:00 a.m. to 9:00 p.m., Eastern Time.





All News