Notification of Security Incident

May 6, 2019

Re: Notification of Security Incident

Dear Sir or Madam,

We are writing to let you know about an information security incident that could potentially affect the confidentiality of your personal information. Please be assured we have taken every step necessary to address this incident and we are committed to fully protecting all of the information you have entrusted to us. We want to be as transparent as we can about this incident and share what additional steps you can take to guard against potential fraud and identity theft.

At this time, there is no evidence that the unauthorized party retrieved your information or used any of your information for malicious purposes. We are bringing this incident to your attention in an abundance of caution so you can take any action necessary to reduce the potential for harm.

Background
On or about March 10, 2019, American Baptist Homes of the Midwest (“ABHM”) became a victim of a cybersecurity incident. The incident occurred when an unauthorized party gained access to ABHM’s computer system and infected the system with malware. The malware encrypted many of ABHM’s records, which made them inaccessible, in an effort to extort money. This is commonly known as ransomware. We discovered the malware very shortly after it encrypted our records on March 10th and were able to stop the incident and secure the affected accounts

What Information may have been accessed
Although the incident did not impact our clinical and billing system, it affected company emails and general file systems. Due to the nature of the computer servers and the information stored on them, the unauthorized party may have had access to names and addresses of individuals whose data was maintained by ABHM. Other information, including, social security numbers, medical information (such as diagnosis, lab results and medications) and financial information may also have been included in what the unauthorized party was able to see. The following ABHM locations were affected:

  • Thorne Crest Senior Living, Albert Lea, MN
  • Tudor Oaks Senior Living, Muskego, WI
  • Elm Crest Senior Living, Harlan, IA
  • Health Center at Franklin Park, Denver, CO
  • Maple Crest Health Center, Omaha, NE
  • Mountain Vista Senior Living, Wheat Ridge, CO
  • Trail Ridge Senior Living, Sioux Falls, SD
  • Crest Services- Albert Lea, MN, Cedar Rapids, IA, Des Moines, IA, Harlan, IA, Ottumwa, IA, Chariton, IA

It appears that your information may have been accessible to the unauthorized party. However, at this time ABHM has no evidence that any resident information was retrieved or misused in any way.

What we are doing to protect you
ABHM acted quickly to address the issue and was able to recover and regain control of the files and end the incident after only a few hours.

We engaged a data forensics firm to ensure all systems were free of malware and assist in the backup recovery of our systems. In addition to addressing the immediate issue, ABHM has adopted further safeguards going forward. ABHM brought in a third-party security expert to perform an in-depth security risk assessment, enhanced its technological security requirements (for example, we strengthened password requirements and implemented electronic procedures that terminate access to ABHM systems after a series of failed attempts) and engaged a 24/7 security monitoring system to safeguard and protect all ABHM data. ABHM has also informed law enforcement and the Office for Civil Rights at the U.S. Department of Health and Human Services.

What you can do to protect yourself
To help reduce the risk of identity theft, as an ongoing best practice, we recommend carefully and regularly reviewing your credit reports, credit card statements and other financial account information. If you find any unauthorized or suspicious activity, you should contact your credit card company or financial institution immediately. You also should promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities, your state attorney general, and/or the Federal Trade Commission.

We also recommend that you consider placing a fraud alert on your credit files. A fraud alert requires potential creditors to use reasonable policies and procedures to verify your identity before issuing credit in your name. A fraud alert lasts for 90 days and is available at no charge to you. To place a fraud alert on your credit files, contact one of the following three credit reporting agencies:

Experian
P.O. Box 9530
Allen, TX 75013
1-888-397-3742
www.experian.com

Equifax
P.O. Box 105069
Atlanta, GA 30348-5069
1-800-525-6285
www.equifax.com

TransUnion
P.O. Box 6790
Fullerton, CA 92834
1-800-680-7289
www.transunion.com

Each credit reporting agency is required to notify the others when it receives a fraud alert. You will receive letters from all three, confirming the fraud alert and letting you know how to get a free copy of your credit report. When you receive your credit reports look them over carefully. Look for accounts you did not open, inquiries from creditors you did not initiate and for personal information, such as a home address or social security number, that is not accurate. If you see anything that you do not understand, call the credit reporting agency at the telephone number on the report. You can keep the fraud alert in place by calling again after 90 days.

If you find suspicious activity on your credit reports or other financial documents, call your local police or sheriff’s office and file a police report of identity theft. We would suggest obtaining a copy of the police report as you may need to give copies to creditors to clear up your records. Even if you do not find any signs of fraud on your reports, we recommend that you remain vigilant by reviewing your account statements and monitoring free credit reports periodically.

We sincerely apologize for any inconvenience this security incident may cause you. ABHM has established a toll-free call line to answer questions about the incident and related concerns. The call center is available Monday through Friday from 8:00 a.m. to 5:00 p.m., Central Time and can be reached at 877-408-3394.

Sincerely,

Jeff Hongslo
CEO/President, American Baptist Homes of the Midwest