The following press release is not the first press release we have seen from NHS Management, LLC, a business associate in Alabama. Coverage of a previous press release in January can be found on this site, here.
Comparing the new press release, below, to the previous one, it appears that ongoing investigation revealed that the attack began months earlier than had previously been recognized and that they have now identified even more patients who needed to be notified. A copy of the most recent statement is also available on their website, prominently linked from their homepage.
This incident was initially reported to HHS in October 2021 as impacting 501 patients, a number that generally appears to just be a marker to indicate that the entity is complying with the duty to notify HHS of a breach but does not yet know the actual number affected. That number on HHS’s site has not yet been updated.
TUSCALOOSA, Ala., March 11, 2022 /PRNewswire/ — NHS Management, LLC (“NHS”) is providing notice of an event that may affect the security of certain information. NHS provides consulting services to nursing and physical rehabilitation facilities located in Alabama, Arkansas, Florida, and Missouri. On May 16, 2021, NHS discovered that it was the victim of a sophisticated cyberattack. NHS immediately took steps to stop the attack and mitigate the harm. NHS launched an investigation with the assistance of a third-party forensic team to confirm the full nature and scope of the incident and restore functionality to impacted systems. Through the investigation, NHS determined that an unauthorized actor accessed certain NHS systems and information stored therein between February 25, 2021 and May 16, 2021. Although NHS has no evidence of any identity theft or fraud in connection with this incident, the documents on these systems that were determined to have been accessed or potentially accessible were reviewed by a third-party data review team to determine what, if any, personal information was contained within them. On February 4, 2022, this extensive review identified certain personal information was present within the affected documents. NHS then undertook efforts to confirm the identities of the individuals whose information was present in the documents and began providing notice once they located the contact information to do so.
To be clear, NHS has uncovered no evidence that any employee or patient information was misused. Nevertheless, out of an abundance of caution, NHS is working to provide notice to its employees, nursing home residents and patients, and any other individuals whose personal information was contained within the affected systems and involved in the incident. As a precautionary measure, NHS is providing notice to potentially affected individuals for whom they have valid mailing addresses, so that these individuals may take further steps to best protect personal information, should they feel it is appropriate to do so. NHS also notified the U.S. Department of Health & Human Services’ Office for Civil Rights and federal law enforcement.
The information that may have been impacted by this incident could have included one or more of the following: an individuals’ name; address and other contact information; medical history; treatment or diagnosis information; health information; health insurance information; Social Security number, date of birth, and/or driver’s license number. However, not every data element would have been impacted for every individual, and there is no evidence of unauthorized access to the database that contains electronic medical records.
NHS takes this incident and the security of personal information in their care very seriously. Upon learning of this incident, NHS moved quickly to investigate, to secure the relevant NHS systems, and begin notifying potentially affected individuals. As part of their ongoing commitment to the security of information, NHS is also reviewing and enhancing existing policies and procedures to reduce the likelihood of a similar future event. NHS encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements, explanation of benefits, and credit reports for suspicious activity and to detect errors over the next 12 to 24 months. Under U.S. law individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report, place a fraud alert, or a security freeze. Contact information for the credit bureaus is below.
Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a one-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the three major credit reporting bureaus listed below.
As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a credit freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report. To request a security freeze, you will need to provide the following information:
- Full name (including middle initial as well as Jr., Sr., II, III, etc.);
- Social Security number;
- Date of birth;
- Addresses for the prior two to five years;
- Proof of current address, such as a current utility bill or telephone bill;
- A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.); and
- A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if you are a victim of identity theft.
Should you wish to place a fraud alert or credit freeze, please contact the three major credit reporting bureaus listed below:
Equifax, P.O. Box 105069, Atlanta, GA, 30348, 1-800-685-1111, www.equifax.com; Experian, P.O. Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com; TransUnion, P.O. Box 2000, Chester, PA 19016, 800-680-7289, www.transunion.com. Potentially impacted individuals may also find information regarding identity theft, fraud alerts, security freezes and the steps they may take to protect their information by contacting the credit bureaus, the Federal Trade Commission or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should also be reported to law enforcement or the individual’s state Attorney General.
For more information you may write to NHS at 931 Fairfax Park, Tuscaloosa, AL 35406.
SOURCE NHS Management, LLC