Notice of Data Privacy Event
UPDATE TO NOTICE OF DATA PRIVACY EVENT
Updated: February 12, 2019
On February 12, 2018, Ohio Living will begin mailing additional letters to individuals potentially incident. While Ohio Living initially provided notice on September 7, 2018, due to a processing issue, mailing addresses for all impacted individuals were not identified at that time and Ohio Living made further efforts to identify such information. Through additional diligence, Ohio Living confirmed the most recent billing address information for additional affected individuals on January 30, 2019. If individuals have additional questions or would like additional information, they may call our dedicated assistance line at 1-855-742-6218 (toll free), Monday through Saturday, 9:00 a.m. to 9:00 p.m., EST.
About the data privacy event
Ohio Living recently discovered an incident that may affect the security of personal information of certain individuals who received care from Ohio Living facilities. We take this incident very seriously, and we have been working diligently, with the assistance of third-party forensic investigators, to determine the full nature and scope of this incident. We are taking additional actions to strengthen the security of our email systems moving forward. Ohio Living is also contacting the appropriate regulators regarding this incident.
What happened? On July 19, 2018, Ohio Living determined that there were potential unauthorized logins into some Ohio Living employee email accounts. Previously, on July 10, 2018, we became aware of suspicious activity relating to an employee email account. We quickly launched an investigation to determine what may have happened and what information may have been affected. Working together with a leading computer forensics expert, our investigation determined that an unknown individual accessed employee email accounts on July 10, 2018. Because we were unable to determine which email messages may have been opened or taken by the unauthorized actor, we reviewed the email accounts to identify what personal information was stored within them.
What information may have been affected by this incident?On September 4, 2018, Ohio Living determined that the affected email accounts contained, and the unauthorized actor may have had access to, information related to certain individuals who attended an Ohio Living facility, and/or received treatment from an Ohio Living facility, including the following types of information: name, contact information, Social Security number, financial information, date of birth, medical record number, patient identification number, medical and/or clinical information including diagnosis and treatment information, and health insurance information.
The type of information affected varies per impacted individual. Although we cannot confirm that any individual’s personal information was actually accessed, viewed, or acquired without permission, we are providing this notice out of an abundance of caution. While our investigation is ongoing, we do not currently have any evidence of actual or attempted misuse of resident or patient information as a result of this incident.
How will individuals know if they are affected by this incident? Ohio Living is mailing notice letters to the individuals whose protected information was contained within the affected email accounts and may have been accessed or acquired by an unauthorized actor. If an individual did not receive a letter but would like to know if they are affected, they may call the hotline listed below.
What is Ohio Living doing? Information privacy and security are among our highest priorities. Ohio Living has strict security measures to protect the information in our possession. Upon learning of this incident, we quickly disabled the known impacted employee email account, changed the password, and notified our other employees to be on the lookout for suspicious emails. We then implemented password resets for all employees. We are currently implementing additional training and education for employees to prevent similar future incidents.
Although we are not aware of any actual or attempted misuse of any individuals’ information, we are also providing the impacted individuals access to complimentary credit monitoring services as an added precaution.
Whom should individuals contact for more information? If individuals have additional questions or would like additional information, they may call our dedicated assistance line at 877-670-0980 (toll free), Monday through Friday, 9:00 a.m. to 9:00 p.m., EST.
What can individuals do to protect their information?
Monitor Your Accounts
To further protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements, and to monitor your credit reports for suspicious activity. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report.
We recommend that you regularly review any Explanation of Benefits statements that you receive from your insurer. If you see any service that you believe you did not receive, please contact your insurer at the number on your statement. If you do not receive regular Explanation of Benefits statements, you can contact your insurer and request that they send such statements following the provision of services in your name or number.
Credit Reports. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report.
Fraud Alerts. At no charge, you can also have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it may also delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.
P.O. Box 105069
Atlanta, GA 30348
P.O. Box 2002
Allen, TX 75013
P.O. Box 2000
Chester, PA 19016
Security Freeze. You may also place a security freeze on your credit reports. A security freeze prohibits a credit bureau from releasing any information from a consumer’s credit report without the consumer’s written authorization. However, please be advised that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services. If you have been a victim of identity theft, and you provide the credit bureau with a valid police report, it cannot charge you to place, lift, or remove a security freeze. In all other cases, depending on your residence, a credit bureau may charge you a fee to place, temporarily lift, or permanently remove a security freeze. You will need to place a security freeze separately with each of the three major credit bureaus listed above if you wish to place a freeze on all of your credit files.
To find out more on how to place a security freeze, you can use the following contact information:
Equifax Security Freeze Experian Security Freeze TransUnion
P.O. Box 105788 P.O. Box 9554 P.O. Box 2000
Atlanta, GA 30348 Allen, TX 75013 Chester, PA 19016
1-800-685-1111 1-888-397-3742 1-888-909-8872
https://www.freeze.equifax.com www.experian.com/freeze/ www.transunion.com/
Additional Information. You can further educate yourself regarding identity theft, and the steps you can take to protect yourself, by contacting your state Attorney General or the Federal Trade Commission. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue, NW, Washington, DC 20580; www.ftc.gov/idtheft; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should be reported to law enforcement, your Attorney General, and the FTC. You can also further educate yourself about placing a fraud alert or security freeze on your credit file by contacting the FTC or your state’s Attorney General.