MADISON HEIGHTS, Mich., July 12, 2019 /PRNewswire/ -- Although it has no confirmation that personal or protected health information was viewed without authorization, Northwood, Inc. ("Northwood") in Madison Heights, Michigan announced today that it has taken action after becoming aware of an incident in which an unknown third party gained access to an employee email account. Out of an abundance of caution, Northwood is providing notice of this event to potentially impacted individuals, as well as certain regulators.
What Happened? On May 6, 2019, Northwood became aware of suspicious activity relating to an employee email account. They immediately launched an investigation to determine what may have happened and what information may have been affected. Working together with a leading computer forensics expert, their investigation determined that an unauthorized individual or individuals accessed the email account between May 3, 2019 and May 6, 2019. Because Northwood was unable to determine which email messages in the account may have been opened or viewed by the unauthorized actor, they reviewed the contents of the entire email account to identify what personal information was stored within it.
What Information Was Involved? On June 19, 2019, Northwood determined that the affected email account contained information related to certain individuals who received durable medical equipment either supplied or managed by Northwood, including the following types of information: name, address, date of birth, date(s) of service, provider name, medical record number, patient identification number, medical device description, diagnosis, diagnosis code(s), treatment information, member health plan identification, and in a very small number of instances, Social Security number, driver's license number and health insurance provider name were also impacted for healthcare plan members.
Separately, also contained in the impacted email account was information pertaining to certain healthcare providers in connection with their exclusion status with the Centers for Medicare & Medicaid Services, including their names and Social Security numbers.
Northwood cannot confirm whether any individual's personal information was actually accessed or viewed without permission. They are providing this notification out of an abundance of caution.
What They Are Doing. Northwood has strict security measures in place to protect the information in its possession. Upon learning of this incident, they immediately took the impacted email account offline and changed the account password. Northwood then implemented mandatory password resets for all employee email accounts and notified employees to be on the lookout for suspicious emails. They implemented additional technical safeguards on their email system, as well as training and education for employees to prevent similar future incidents. They are also offering the impacted individuals access to complimentary credit monitoring services as an added precaution. Because Northwood has insufficient contact information for some of the individuals whose information may be contained in the impacted employee email account, Northwood is providing notice to potentially impacted individuals by way of a notification published to certain state media outlets and in certain state media publications. Northwood is mailing notice letters to those individuals for whom it has confirmed mailing address information Northwood has reported this incident to law enforcement.
For More Information. Northwood has established a dedicated assistance line for individuals seeking additional information regarding this incident. Individuals may call 800-494-0297, 8:00 a.m. to 5:30 p.m. CST, Monday through Friday with questions or if they would like additional information.
What You Can Do. Northwood encourages everyone to remain vigilant and take steps to protect against possible identity theft or other financial loss by reviewing their account statements and Explanation of Benefits statements regularly and monitoring their credit reports for suspicious activity. Under U.S. law, individuals over the age of 18 are entitled to one free credit report annually from each of the three major credit bureaus. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report.
Northwood encourages individuals who believe they may be affected by this incident to take additional action to further protect against possible identity theft or other financial loss. At no charge, individuals can also have the credit bureaus place a "fraud alert" on their credit file that alerts creditors to take additional steps to verify their identity prior to granting credit in their name. Note, however, that because it tells creditors to follow certain procedures to protect the individual, it may also delay their ability to obtain credit while the agency verifies their identity. As soon as one credit bureau confirms the individual's fraud alert, the others are notified to place fraud alerts on the individual's file. Should the individual wish to place a fraud alert, or should the individual have any questions regarding his or her credit report, the individual can contact any one of the agencies listed below.
An individual may also place a security freeze on their credit reports. A security freeze prohibits a credit reporting agency from releasing any information from an individual's credit report without the consumer's written authorization. However, individuals should be aware that placing a security freeze on their credit report may delay, interfere with, or prevent the timely approval of any requests they make for new loans, credit mortgages, employment, housing, or other services. Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. Individuals will need to place a security freeze separately with each of the three major credit bureaus listed above if the individual wishes to place the freeze on all of their credit files. In order to request a security freeze, you will need to supply your full name, address, date of birth, Social Security number, current address, all addresses for up to five previous years, email address, a copy of your state identification card or driver's license, and a copy of a utility bill, bank or insurance statement, or other statement proving residence.
To find out more on how to place a security freeze, individuals can contact the credit reporting agencies using the information below:
Individuals can further educate themselves regarding identity theft, fraud alerts, and the steps they can take to protect themselves, by contacting the Federal Trade Commission or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, D.C. 20580, www.ftc.gov/idtheft/, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. Individuals can obtain further information on how to file such a complaint by way of the contact information listed above. Instances of known or suspected identity theft should also be reported to law enforcement. This notice has not been delayed by law enforcement. For Maryland residents, the Attorney General can be contacted by mail at 200 St. Paul Place, Baltimore, MD, 21202; toll-free at 1-888-743-0023; by phone at (410) 576-6300; consumer hotline (410) 528-8662; and online at www.marylandattorneygeneral.gov. For New Mexico residents, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to be provided to employers; you may limit "prescreened" offers of credit and insurance you get based on information in your credit report; and you may seek damages from violator. You may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage you to review your rights pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf, or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580. For North Carolina Residents: The North Carolina Attorney General can be contacted by mail at 9001 Mail Service Center, Raleigh, NC 27699-9001; toll-free at 1-877-566-7226; by phone at 1-919-716-6400, and online at www.ncdoj.gov. For Rhode Island Residents: The Rhode Island Attorney General can be reached at: 150 South Main Street, Providence, Rhode Island 02903, www.riag.ri.gov, 1-401-247-4400. Under Rhode Island law, you have the right to obtain any police report filed in regard to this incident. There are approximately 502 Rhode Island residents impacted by this incident. This notice has not been delayed by a law enforcement investigation.
SOURCE Northwood, Inc.