From their press release of March 10:
Universal Care, Inc. dba Brand New Day (BND) announced today that it has notified individuals related to a privacy incident involving information stored by a third-party vendor. The incident did not involve information that was stored or maintained on BND’s own systems.
On December 28, 2016, BND learned that an unauthorized individual gained access to electronic files stored on computer systems maintained by a third-party vendor that provides patient management software applications to BND and its providers. This incident was reported by BND to law enforcement. Thereafter, law enforcement investigators required that any notification to potentially affected individuals and any public announcement of the incident should be withheld while they were conducting their investigation. Following law enforcement’s permission to notify, BND began this notification as quickly as possible once BND had completed its investigation.
Based on BND’s investigation, it was determined that the files stored by the third-party vendor contained personal information on BND members, including patient names, addresses, phone numbers, dates of birth and Medicare ID numbers. It does not appear that driver’s license numbers or California identification card numbers were involved in the information that was accessed.
BND is committed to the security of all sensitive information maintained by its third-party vendors and is taking this matter very seriously. To help prevent this type of incident from happening again, BND contacted the third party vendor the same day we became aware of the breach to advise them of the breach. The vendor eliminated the error in their system within hours. BND will also request its third-party vendor to take steps to enhance the security of its systems that maintain BND patient data. As an added precaution, BND is offering 12 free months of identity theft and mitigation services to affected individuals to help prevent and detect misuse of their personal information. To obtain information on how to access these services, please contact the any of the individuals named below.
We regret any inconvenience caused by this incident. We began mailing notification letters to affected individuals on March 9, 2017. If you believe you may be affected and have not received a letter by March 31, 2017, or to obtain information regarding the offer for identity theft and mitigation services or if you need any other information or wish to contact us with concerns, please call us at any of the following numbers, Monday through Friday, 9 a.m. to 7 p.m. PST (closed on U.S. observed holidays):
Jonathan Devin Wheeler, J.D. Compliance Analyst
P.O. Box 93122
Long Beach, CA 90809-9871
866-255-4795, ext. 4078
Connie Snyder Compliance Officer
P.O. Box 93122
Long Beach, CA 90809-9871
866-255-4795, ext. 5054
Source: Universal Care, Inc. dba Brand New Day
The incident was reported to HHS on February 10 as affecting 14,005 patients. Because the vendor is not named, it is not known whether any other healthcare entities have also been affected, but in its notification to the California Attorney General’s Office, they offer the following additional details:
A contracting provider was able to access (via a third party vendor system) data containing your name, date of birth, Medicare ID number, address, and phone number. This information should have been available only to your provider.
BND also disclosed in the notification to the AG’s Office that the incident occurred on December 22, 2016.