Bridgewater Associates, LP offers employees continuing health coverage (COBRA) when they separate from the firm. That coverage is administered by Ceridian, who maintain a database with the employees’ and their dependents’ names, addresses, dates of birth, Social Security numbers, and other benefit plan information (but no medical information).
On or about April 11, a Bridgewater consultant’s login password to that database was changed without their knowledge or authorization. The problem was detected a day later, and investigation revealed that there had been three separate occasions on which the credentials had been used to access the database. The identity of the unauthorized individual had not been determined by June 28, when Bridgewater notified those affected and reported the incident to the New Hampshire Attorney General’s Office.
The firm offered those affected free credit monitoring and stated that it was in the process of finding a new vendor to maintain the database. No explanation was provided as to why, if the problem was detected on or about April 12, it took until June 28 to notify those affected, although the firm did state that notification was not delayed by any law enforcement investigation.
Update: The incident was also reported to Maryland.