Below is information provided to members

We are writing to let you know that we experienced a security breach. This letter goes over what happened, the steps we have taken, and what you can do to stay safe.

What Happened

On May 31, 2023, the software of one of our vendors (MOVEit) was hacked by a bad actor. We use MOVEit software to share data to manage your benefits. We patched the software as instructed by MOVEit on June 1. We then began an investigation to find if any data was stolen. 

On June 27, CareSource was named as one of the victims of hacked data. We learned new info at that time. Our investigation found that the bad actor did access the software on May 31. They copied certain data from the server. It also found that the bad actor lost access to the software when the patch was added.

We are sorry to say that some of your protected health information was part of the data stolen by the bad actor.

What Data Was Stolen?

Our investigation showed that the bad actor may have data like your:

  • First Name
  • Last Name
  • Address
  • Date of Birth
  • Gender
  • Social Security Number
  • Member ID
  • Plan Name
  • Health Condition
  • Medications
  • Allergies
  • Diagnosis

What We Are Doing

We take your security and privacy seriously. We have added all patches from MOVEit. The bad actor lost access once the patch was added. We are doing a full investigation and are looking into what, if any, updated processes may be needed.

This attack was widespread. It impacted hundreds of groups that used MOVEit as a vendor.

What You Can Do

Stay alert. Check your accounts for fraudulent activity. You should also check that your mail from CareSource is correct. Let us know if any of it seems suspicious.

We have partnered with Kroll to offer you two years of credit monitoring. We have added instructions on how to sign up and use their services. This is all free to you. Please sign up no later than <90 days from receipt of your letter>.

There are other steps you can take to protect yourself.

  1. Ask for a free credit report:

Annual Credit Report Request Service
P.O. Box 105281
Atlanta, GA 30348-5281

  1. Ask for a credit freeze or to add a fraud alert on your file. Do this by reaching out to one of the three major groups:
  • Equifax (www.equifax.com/personal/credit-report-services/credit-freeze/)
  • Experian (www.experian.com/blogs/ask-experian/credit-education/preventing-fraud/security-freeze/)
  • TransUnion (www.transunion.com/credit-freeze)

Questions? Call <866-764-7020>. We are open <Monday – Friday 9:00 a.m. to 6:30 p.m. ET>. We are here to help.

Sincerely,

Anne Fogler
AVP, Privacy
CareSource

ACTIVATE YOUR IDENTITY MONITORING SERVICES

(Individualized instructions will be received via parcel post)

To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll to provide Identity Monitoring, Fraud Consultation, and Identity Theft Restoration at no cost to you for two years. Kroll is a global leader in risk mitigation and response, and their team has extensive experience helping people who have sustained an unintentional exposure of confidential data.

      Visit <<IDMonitoringURL>> to activate and take advantage of your Identity Monitoring services.

      You have until <<Date>> to activate your Identity Monitoring services.

      Membership Number: <<Member ID>>

For more information about Kroll and your Identity Monitoring services, you can visit info.krollmonitoring.com.

You have been provided with access to the following services from Kroll:

Single Bureau Credit Monitoring

You will receive alerts when there are changes to your credit data—for instance, when a new line of credit is applied for in your name. If you do not recognize the activity, you’ll have the option to call a Kroll fraud specialist, who will be able to help you determine if it is an indicator of identity theft.

Fraud Consultation

You have unlimited access to consultation with a Kroll fraud specialist. Support includes showing you the most effective ways to protect your identity, explaining your rights and protections under the law, assistance with fraud alerts, and interpreting how personal information is accessed and used, including investigating suspicious activity that could be tied to an identity theft event.

Identity Theft Restoration

If you become a victim of identity theft, an experienced Kroll licensed investigator will work on your behalf to resolve related issues. You will have access to a dedicated investigator who understands your issues and can do most of the work for you. Your investigator will be able to dig deep to uncover the scope of the identity theft, and then work to resolve it.

ADDITIONAL RESOURCES

Contact information for the three nationwide credit reporting agencies:

Equifax, P.O. Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111

Experian, P.O. Box 2104, Allen, TX 75013, www.experian.com, 1-888-397-3742

TransUnion, P.O. Box 2000, Chester, PA 19016, www.transunion.com, 1-800-888-4213

Free Credit Report. It is recommended that you remain vigilant by reviewing account statements and monitoring your credit report for unauthorized activity, especially activity that may indicate fraud and identity theft. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting agencies.

To order your annual free credit report please visit www.annualcreditreport.com or call toll free at 1-877-322-8228.

You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available from the U.S. Federal Trade Commission’s (“FTC”) website at www.consumer.ftc.gov) to:

Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.

For Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, Puerto Rico, and Vermont residents: You may obtain one or more (depending on the state) additional copies of your credit report, free of charge. You must contact each of the credit reporting agencies directly to obtain such additional report(s).

Fraud Alerts. There are two types of fraud alerts you can place on your credit report to put your creditors on notice that you may be a victim of fraud—an initial alert and an extended alert. You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An initial fraud alert stays on your credit report for at least one year. You may have an extended alert placed on your credit report if you have already been a victim of identity theft and you have the appropriate documentary proof. An extended fraud alert stays on your credit report for seven years. You can place a fraud alert on your credit report by contacting any of the three national credit reporting agencies.

Security Freeze. You have the ability to place a security freeze, also known as a credit freeze, on your credit report free of charge.

A security freeze is intended to prevent credit, loans and services from being approved in your name without your consent. To place a security freeze on your credit report, you may use an online process, an automated telephone line, or submit a written request to any of the three credit reporting agencies listed above. The following information must be included when requesting a security freeze (note that, if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past 5 years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, and display your name, current mailing address, and the date of issue.

Federal Trade Commission and State Attorneys General Offices. If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your home state. You may also contact these agencies for information on how to prevent or minimize the risks of identity theft.

You may contact the Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/bcp/edu/microsites/idtheft/,      1-877-IDTHEFT (438-4338).

For Maryland residents: You may contact the Maryland Office of the Attorney General, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us, 1-888-743-0023.

For North Carolina residents: You may contact the North Carolina Office of the Attorney General, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov, 1-877-566-7226.

For New York residents: The Attorney General may be contacted at: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; 1-800-771-7755; https://ag.ny.gov/.

For Connecticut residents: You may contact the Connecticut Office of the Attorney General, 165 Capitol Avenue, Hartford, CT 06106, 1-860-808-5318; www.ct.gov/ag.

For Massachusetts residents: You may contact the Office of the Massachusetts Attorney General, 1 Ashburton Place, Boston, MA 02108, 1-617-727-8400, www.mass.gov/ago/contact-us.html

Reporting of identity theft and obtaining a police report.

For Iowa residents: You are advised to report any suspected identity theft to law enforcement or to the Iowa Attorney General.

For Massachusetts residents: You have the right to obtain a police report if you are a victim of identity theft.

For Oregon residents: You are advised to report any suspected identity theft to law enforcement, the Federal Trade Commission, and the Oregon Attorney General.