TUSCALOOSA, Ala., Jan. 14, 2022 /PRNewswire/ — NHS Management, which manages 50 long-term care and rehabilitation facilities in four states, says the firm is continuing to assess and evaluate the extent of a data incident which took place in May of last year.
When the incident was discovered on May 16, 2021, NHS immediately began investigation of the sophisticated cyberattack with the assistance of a third-party team of security specialists. Employees and other known affected individuals were promptly notified of the incident and advised to take steps to secure sensitive data.
While the range and scope of the data compromised is still unclear, this cyberattack in no way affected the quality of patient care.
NHS takes very seriously the security of all data pertaining to any aspect of its operations. The process of reviewing the data that may have been accessed to identify any additional impacted individuals is ongoing. In the meantime, NHS has taken the necessary steps to help ensure the security of its data system going forward.
Anyone who desires further information about the data incident can go to the NHS webpage at nhsmanagement.com for more information.
NHS Management, LLC Provides Notice of Data Privacy Incident
NHS Management, LLC (“NHS”) is providing notice of a recent event that may affect the security of certain information. On May 16, 2021, NHS discovered that it was the victim of a sophisticated cyberattack. NHS immediately launched an investigation to confirm the full nature and scope of the incident and restore functionality to impacted systems. Through the investigation, NHS determined that an unauthorized actor may have had access to certain NHS systems between May 14, 2021 and May 16, 2021. As a result of the investigation, it was determined that certain files were potentially at risk as the result of the incident. Due to the volume and complexity of the files at issue, NHS promptly began working with a third-party data review team to perform a comprehensive review of all information contained in the impacted files. At present, the comprehensive data review is ongoing in an effort to determine what personal information may have been contained within same.
To be clear, NHS has uncovered no evidence that any employee or patient information was misused. Nevertheless, out of an abundance of caution, NHS is working to provide notice to its employees and nursing home residents and patients whose personal information was contained within the affected systems and involved in the incident. The efforts to identify potentially impacted individuals and locate contact information to directly notify those potentially impacted individuals are ongoing. Written notice will be provided to the impacted individuals as soon as practicable after those individuals are identified. Any impacted individuals identified thus far have already been notified. NHS also notified the U.S. Department of Health & Human Services’ Office for Civil Rights and federal law enforcement.
The information that may have been impacted by this incident could have included one or more of the following: an individuals’ name; address and other contact information; medical history; treatment or diagnosis information; health information; health insurance information; Social Security number, date of birth, and/or driver’s license number. However, not every data element would have been impacted for every individual, and there is no evidence of unauthorized access to the database that contains electronic medical records.
NHS takes this incident and the security of personal information in their care very seriously. Upon learning of this incident, NHS moved quickly to investigate, to assess and increase the security of relevant NHS systems, and begin notifying potentially affected individuals. As part of their ongoing commitment to the security of information, NHS is also reviewing and enhancing existing policies and procedures to reduce the likelihood of a similar future event. NHS encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements, explanation of benefits, and credit reports for suspicious activity and to detect errors. Under U.S. law individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report, place a fraud alert, or a security freeze. Contact information for the credit bureaus is below.
Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a one-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the three major credit reporting bureaus listed below.
As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a credit freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report. To request a security freeze, you will need to provide the following information:
- Full name (including middle initial as well as Jr., Sr., II, III, etc.);
- Social Security number;
- Date of birth;
- Addresses for the prior two to five years;
- Proof of current address, such as a current utility bill or telephone bill;
- A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.); and
- A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if you are a victim of identity theft.
Should you wish to place a fraud alert or credit freeze, please contact the three major credit reporting bureaus listed below:
Equifax, P.O. Box 105069, Atlanta, GA, 30348, 1-800-685-1111, www.equifax.com; Experian, P.O. Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com; TransUnion, P.O. Box 2000, Chester, PA 19016, 800-680-7289, www.transunion.com. Potentially impacted individuals may also find information regarding identity theft, fraud alerts, security freezes and the steps they may take to protect their information by contacting the credit bureaus, the Federal Trade Commission or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should also be reported to law enforcement or the individual’s state Attorney General.
For more information, please go to the NHS website at www.nhsmanagement.com.
SOURCE NHS Management