Public Privacy Notice
September 22, 2020
Seven Counties Services takes client privacy seriously, and it is important to us that the public is made fully aware of a potential electronic data security incident. We have learned from July 27, 2020 to July 30, 2020, a phishing incident took place that may have compromised protected health information. All individuals involved have been personally notified.
The incident is believed to have begun on July 27, 2020 as the result of a phishing email that sent emails to other staff that appeared to be from a trusted source and asked for log in information. Several staff responded to the request and their email accounts were compromised. The incident was discovered by our IT Department on July 28, 2020 and the thirteen staff email accounts were immediately secured. Although we have no information at this time to indicate unauthorized access to personal information, we want to explain the circumstances of the incident and to advise of steps you can take to protect personal information.
What information was involved?
Our organization maintains demographic, financial and clinical protected health information about you in order to provide services. This information, which is primarily stored electronically, can be shared internally with staff by email messages and reports on a need to know basis. Reports contain name and several reports contain the following: date of birth, social security number, address, phone number, email, diagnosis, date of service. Any email that contained information about you or a report as an attachment, could have been compromised. We cannot determine based on our logs whether the attackers opened, viewed or downloaded any message.
What additional action did Seven Counties Services take in response to the incident?
To reduce a future reoccurrence of a similar incident and to better protect the organization, our IT Department set up better access controls. The organization had already implemented a flag on emails received from outside our organization by adding an External Email banner to such emails. This External Email banner is intended to aide employees in identifying email from someone posing to be from a trusted source from within our organization as well as other suspicious emails. Since this incident, the IT department has posted educational information for employees regarding phishing attacks and spoofing email and how to be vigilant against these types of malicious emails. IT has proposed conditional location based Multi-Factor Authentication as a standard. We believe this will shore up this vulnerability.
What should I do now?
While banking information was likely not exposed, it is prudent to review account transactions regularly and to closely monitor all financial accounts, including credit cards, checking and saving accounts, 401k etc. We encourage you to monitor your credit regularly. You should look out for new accounts that may have been established in your name but not by you. Below are the three main credit reporting agencies, as well as free resources, to help you monitor your credit or to repot identity theft.
- Experian: (888)397-3742; experian.com: PO Box 9532 Allen, TX 75013
- TransUnion: (800) 680-7289; transunion.com: Fraud Victim Assistance Division, PO Box 6790 Fullerton, CA 92834-6790
- Equifax: (800) 525-6285; http://equifax.com: PO Box 740241, Atlanta, GA 30374-0241
You also can order a free copy of your credit report once every 12 months by visiting www.annualcreditreport.com, which is also available from the FTC website with additional information https://www/ftc/gov/faq/consumer-protection/get-my-free-credit-report. You may also contact the FTC for information on how to prevent or avoid identity theft: http://www.identitytheft.gov/infor-lost– or-stolen.
If you believe you have been a victim of identity theft or have reason to believe that your information has been misused, you should immediately contact the U.S. Federal Trade Commission (FT) and/or the consumer protection agencies.
- Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580, ftc.gov/bcp/edu/microsites/idteft/, 1-877IDTHEFT (438-4338).
- Kentucky: Office of Consumer Protection, 1024 Capital Center Drive, Suite 200, Frankfort, Kentucky 40601, Phone (502) 696-5389; Identify Theft Hotline: (800) 804-7556
If you have questions or concerns, you may call the following number: 1-833-353-1065.