Chicago-based Assisted Living Concepts, LLC and its subsidiaries own and/or operate 200 assisted living facilities in 20 states. ALC uses an external vendor to process its payroll for its employees.
On February 14, the vendor notified ALC that they had detected unauthorized access to ALC’s payroll database. Investigation revealed that ALC’s login credentials had been acquired and misused to gain access to the payroll database containing current and former employees’ names, addresses, birth dates, Social Security numbers, and pay information.
The unauthorized access occurred between December 14, 2013 and January 14, 2014, and affected 43,600 employees. The vendor was not named in ALC’s notification, and it is not clear whether the login credentials were obtained from someone at ALC via phishing or some other means, or whether they were obtained from someone on the vendor’s end.
ALC deactivated the compromised login credentials, took the payroll database offline, and notified the FBI and state authorities.
In letters that went out this week, ALC offered affected current and former employees free credit monitoring via Experian ProtectMyID.
You can read ALC’s notification to New Hampshire and affected employees on the New Hampshire Attorney General’s website, here (pdf).
Updates: The breach was also reported to Vermont residents and Maryland residents.
Update 3: On March 28, ALC notified New Hampshire that on March 13, they discovered that 7,810 dependents of current and former employees also had their information involved.
I work for you and another employee told me about the letter so this is why i’m emailing you now I would like for you to send me an email instead of a letter with the information that i need to get protected and the services your offering to help me feel safe.
thank you,
robin in kelso washington
I hope you actually emailed them and didn’t just post a request here, as I doubt they’ll read the comments on this blog.
Any idea who the payroll provider was?
No clue. If you find out, please let me know.
I’m trying to find out too. It’s strange how so many articles have been published on the web concerning this entire fiasco and yet not one mention is made anywhere of the name of the company who was responsible for this.
It’s not uncommon for a vendor/contractor’s name to be shielded, and yes, it’s frustrating, which is why I try to follow-up over time to see if we can find out more.
What’s so upsetting is this company contracted by ALC could have prevented this from happening. It’s frustrating to say the least knowing your your name, DOB, social and banking information is out there floating around somewhere. I have called my former employer and they will not return my calls. I just had someone hack into my checking account in the last few days and I cannot help but wonder if it is directly connected with this breach. I will be forced to go down to close out all of my accounts and reopen new ones and I will also have to cancel my card and get a new one. It’s extremely anguishing to know that all of your personal information has been contracted out to a third-party without your knowledge or consent. Where to go from here???