fbpx
Back to Backbone archive

March 13, 2024

Incident report: Customer data loss

At Tebra, the security of our customers’ information is of paramount importance, and when an incident occurs that might threaten that security, no matter the severity, we believe we should communicate transparently. To that end, we are providing an overview of a phishing incident impacting customer information and our response.

What happened?

On March 13, 2024, Tebra identified that certain customer information was obtained by an outside party due to human error. Tebra is unaware of any actual misuse of this information and, out of an abundance of caution, has notified potentially impacted customers. There was no unauthorized access to the Tebra platform, no system was breached, and no protected health information (PHI), patient payment, or claim data was impacted.

What information was obtained:

  • Customer business name
  • Tebra account ID number
  • Billing contact name
  • Billing contact email address
  • Primary telephone number
  • Any outstanding balance amounts

What information was not obtained:

  • No credit card information
  • No banking information
  • No account passwords
  • No patient information

What have we done?

We have notified all potentially impacted customers.

As a HITRUST-certified company, we have adopted a best-in-class, industry-leading approach to incident response whenever an issue like this occurs. We’re analyzing how the incident occurred and taking strong, proactive steps to avoid this from occurring again in the future.

Tebra also adheres to the rigorous standards set forth by the Payment Card Industry Security Standards Council (PCI SSC). These standards ensure that businesses like ours handle credit card information in a secure manner, protecting it from unauthorized access, fraud, and other potential risks. Part of this includes making it so that no Tebra employee can see your encrypted bank account or credit card information. This is how we were able to ensure that your direct accounting information, like your bank account information or credit card number, was not exposed.

What you should do

To protect yourself from potential fraud — including attempts to impersonate Tebra in order to send fictitious invoices or false wiring instructions — we recommend that you exercise extreme caution and do not provide payments or payment information other than through the Tebra platform. Please note, Tebra will only collect payment from you via an automatic charge to your payment method on file (ACH or credit card) within the Tebra platform. We will never take ACH or credit card information over the phone, email, or SMS.

If you ever need to update your payment information, it can be done directly on the Tebra platform. For instructions on how to update your payment information, please visit helpme.tebra.com. Any other request that does not align with these processes should not be followed, even if you receive instructions to do so.

Please be cautious of any requests for personal or financial information, and contact your Account Representative or Tebra directly at (866) 938-3272 if you have any doubts about the legitimacy of a communication from us. If you do feel like you’ve been contacted by someone attempting to fraudulently collect money from you, our recommendation is to report them through the FTC’s Fraud Report system here: https://reportfraud.ftc.gov/

What you shouldn’t do

Do not provide payments or payment information other than through the Tebra platform. Tebra will only collect payment from you via an automatic charge to your payment method on file (ACH or credit card) within the Tebra platform. If you ever need to update your payment information, it can be done directly on the Tebra platform. (Instructions on how to update your payment information in the Practice Management application, Practice Operations platform, and Practice Growth platform). Any other request should not be followed, even if you receive instructions to do so.

Next steps

We at Tebra recognize the widespread danger of phishing incidents, and we have already taken measures to train employees and prevent them. We also recognize that the frequency and sophistication of these attacks are increasing across the healthcare industry and all other industries. In light of this incident, we will be retraining our internal teams and increasing the frequency of training around data security procedures. We are also working with our email service provider to implement new, expanded safeguards around fraudulent emails.

There will be no impact on your service or subscription as a result of this incident.

We apologize and are working hard to resolve this matter as quickly as possible. We take your security and business very seriously and will continue to update you with any relevant information.

Published by Tebra