VNS Health Health Plans Notice of Data Event Involving Downstream Vendor TMG and its MOVEit Server
August 14, 2023 – On Thursday, June 22, 2023, VNS Health Health Plans (“VNS”) was notified by VNS’ vendor, TMG Health, Inc. (a Cognizant Technology Solutions company) (“TMG”), of a data incident that affected the security of certain VNS members’ personal health information. VNS is providing details of the event, its response, and resources available to impacted individuals to help protect their personal health information from possible misuse.
Who is TMG and Why Did They Have VNS Members’ Information? TMG provides claims processing and other administrative services to VNS. As part of these services, TMG receives personal health information regarding VNS members.
What Happened? TMG became aware of a security vulnerability impacting TMG’s instance of the MOVEit Secure File Transfer server generally on May 31, 2023. According to TMG, on June 2, 2023, TMG initiated an investigation and implemented the vendor-recommended actions to prevent an exploit. TMG continued to investigate the situation as more information became available about the security vulnerability and how it could be exploited. On June 22, 2023, TMG notified VNS that on June 21, 2023, as part of the ongoing investigation into the security vulnerability, TMG determined that an unauthorized party had accessed and downloaded certain files from TMG’s instance of the MOVEit server between May 30 and June 2, 2023. Further, on June 27, 2023, TMG learned that the unauthorized party claimed that it had some or all of the impacted files.
What Information was Affected? As a result of TMG’s investigation, which was completed on July 21, 2023, TMG confirmed that the following personal health information may have been impacted: member name, mailing address, telephone number, email address, date of birth, social security number, member ID, Medicare and/or Medicaid number, benefit and subsidy information, billing information, medical claims information, healthcare provider name and specialty, and dates of service. Not all data elements were involved for all individuals.
What TMG Is Doing. VNS is committed to maintaining the privacy and security of its members’ information and is taking this incident very seriously. VNS is ensuring that its impacted vendor, TMG, is taking all appropriate steps to address this incident, including updating its systems to prevent intrusions of this nature from occurring in the future. According to TMG, as soon as it learned of potential unauthorized access to its server, TMG initiated an investigation, notified law enforcement of the incident, and implemented all vendor-recommended actions to prevent an exploit, including closing internet-exposed interfaces and applying all patches released by the vendor. TMG also rebuilt its server and upgraded to the vendor’s most current version, updated its security tools to watch for and block a similar intrusion, and developed behavior-based search queries to detect similar activity in the future. TMG is also evaluating several potential long-term remediation activities to improve the security posture of the environment, including various technical and procedural changes. In response to this incident, VNS is working to enhance its third party risk management processes.
TMG will be mailing notices to impacted individuals on VNS’ behalf. VNS is providing this substitute notice to supplement its mailed notices to impacted individuals.
What Affected Individuals Can Do. We encourage potentially affected individuals to remain vigilant against incidents of identity theft and fraud by reviewing their account statements, explanations of benefits, and credit reports carefully for unexpected activity and to report any questionable activity to the associated institutions immediately. Additional information can be found below in the Steps You Can Take to Protect Information.
TMG will also offer complimentary Personal Identity and Privacy Protection services to affected individuals through IDX (A ZeroFox Company), the data breach and recovery services expert. IDX identity protection services include: credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services. With this protection, IDX will help impacted individuals resolve issues if their identity is compromised. We encourage impacted individuals to contact IDX with any questions and to enroll in the free identity protection services by calling 1-888-727-2311 or by going to https://response.idx.us/notice-info. Please note that impacted individuals must complete the enrollment process themselves, as VNS is not permitted to enroll impacted individuals in these services.
For More Information. For individuals seeking additional information regarding this event, a toll-free assistance line has been established. Individuals may call 1-888-727-2311 toll-free Monday through Friday, between the hours of 9:00 a.m. and 9:00 p.m. Eastern Time, excluding major U.S. holidays.
VNS sincerely regrets any concern this incident may cause for any VNS member. VNS takes information security very seriously. VNS is monitoring this matter and will continue to ensure that all appropriate actions are taken with respect to this incident.
Steps You Can Take To Protect Information
Provide Any Updated Personal Information to Your Health Care Provider
Your health care provider’s office may ask to see a photo ID to verify your identity. Please bring a photo ID with you to every appointment if possible. Your provider’s office may also ask you to confirm your date of birth, address, telephone, and other pertinent information so that they can make sure that all of your information is up-to-date. Please be sure and tell your provider’s office when there are any changes to your information. Carefully reviewing this information with your provider’s office at each visit can help to avoid problems and to address them quickly should there be any discrepancies.
Order Your Free Credit Report
To order your free annual credit report, visit www.annualcreditreport.com, call toll-free at (877) 322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s (“FTC”) website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. The three credit bureaus provide free annual credit reports only through the website, toll-free number or request form.
Upon receiving your credit report, review it carefully. Look for accounts you did not open. Look in the “inquiries” section for names of creditors from whom you have not requested credit. Some companies bill under names other than their store or commercial names; the credit bureau will be able to tell if this is the case. Look in the “personal information” section for any inaccuracies in information (such as home address and Social Security Number).
If you see anything you do not understand, call the credit bureau at the telephone number on the report. Errors may be a warning sign of possible identity theft. You should notify the credit bureaus of any inaccuracies in your report, whether due to error or fraud, as soon as possible so the information can be investigated and, if found to be in error, corrected. If there are accounts or charges you did not authorize, immediately notify the appropriate credit bureau by telephone and in writing. Information that cannot be explained should also be reported to your local police or sheriff’s office because it may signal criminal activity.
How to Enroll in IDX Credit and Identity Monitoring Services
As a safeguard, you may enroll, at no cost to you, in an online credit monitoring and identity restoration service provided by IDX. To enroll in this service, please call 1-888-727-2311 or visit https://response.idx.us/notice-info and follow the instructions for enrollment.
The monitoring included in the membership must be activated to be effective. Please note that credit monitoring services may not be available for individuals who have not established credit or an address in the United States (or its territories) and a valid Social Security number. Enrolling in this service will not affect your credit score. If you need assistance, IDX will be able to assist you.
We encourage you to take advantage of these protections and remain vigilant for incidents of potential fraud and identity theft, including regularly reviewing and monitoring your credit reports and account statements.
Contact the U.S. Federal Trade Commission
If you detect any unauthorized transactions in any of your financial accounts, promptly notify the appropriate payment card company or financial institution. If you detect any incidents of identity theft or fraud, promptly report the matter to your local law enforcement authorities, state Attorney General and the FTC.
You can contact the FTC to learn more about how to protect yourself from becoming a victim of identity theft by using the contact information below:
Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, DC 20580
Place a Fraud Alert on Your Credit File
To protect yourself from possible identity theft, consider placing a fraud alert on your credit file. A fraud alert helps protect against the possibility of an identity thief opening new credit accounts in your name. When a credit grantor checks the credit history of someone applying for credit, the credit grantor gets a notice that the applicant may be the victim of identity theft. The alert notifies the credit grantor to take steps to verify the identity of the applicant. You can place a fraud alert on your credit report by calling any one of the toll-free fraud numbers provided below. You will reach an automated telephone system that allows flagging of your file with a fraud alert at all three credit bureaus.
|Equifax||P.O. Box 105069 Atlanta, Georgia 30348||1- 888-766-0008||www.equifax.com|
|Experian||P.O. Box 9554 Allen, Texas 75013||1-888-397-3742||www.experian.com|
|TransUnion||P.O. Box 2000 Chester, PA 19016||1-800-680-7289||www.transunion.com|
You have the right to request a credit freeze from a consumer reporting agency, free of charge, so that no new credit can be opened in your name without the use of a PIN number that is issued to you when you initiate a freeze. A security freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. If you place a security freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze. Therefore, using a security freeze may delay your ability to obtain credit.
Unlike a fraud alert, you must separately place a security freeze on your credit file at each credit bureau. To place a security freeze on your credit report you must contact the credit reporting agency by phone, mail, or secure electronic means and provide proper identification of your identity. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue.
Below, please find relevant contact information for the three consumer reporting agencies:
|Equifax Security Freeze||P.O. Box 105788 Atlanta, GA 30348||1-800-685-1111||www.equifax.com|
|Experian Security Freeze||P.O. Box 9554 Allen, TX 75013||1-888-397-3742||www.experian.com|
|TransUnion||P.O. Box 160 Woodlyn, PA 19094||1-888-909-8872||www.transunion.com|
Once you have submitted your request, the credit reporting agency must place the security freeze no later than 1 business day after receiving a request by phone or secure electronic means, and no later than 3 business days after receiving a request by mail. No later than five business days after placing the security freeze, the credit reporting agency will send you confirmation and information on how you can remove the freeze in the future.
For Residents of the District of Columbia
You may contact the D.C. Attorney General’s Office to obtain information about steps to take to avoid identity theft:
D.C. Attorney General’s Office, Office of Consumer Protection, 400 6th Street, NW, Washington DC 20001, 1-202-442-9828, www.oag.dc.gov.
For Residents of New York
You may also obtain information about security breach response and identity theft prevention and protection from the New York Attorney General’s Office:
Office of the Attorney General, The Capitol, Albany, NY 12224-0341, 1-800-771-7755, www.ag.ny.gov.
For Residents of North Carolina
You may also obtain information about preventing and avoiding identity theft from the North Carolina Attorney General’s Office:
North Carolina Attorney General’s Office, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, 1-919-716-6000, www.ncdoj.gov.
* * *
ATTENTION: If you speak English, language assistance services, free of charge, are available to you. Call 1-855-699-6262 (TTY : 1-800-955-8771).
ATENCIÓN: si habla español, tiene a su disposición servicios gratuitos de asistencia lingüística. Llame al 1-855-699-6262 (TTY: 1-800-955-8771).
ATANSYON: Si w pale Kreyòl Ayisyen, gen sèvis èd pou lang ki disponib gratis pou ou. Rele 1-855-699-6262 (TTY : 1-800-955-8771)
CHÚ Ý : Nếu bạn nói Tiếng Việt, có các dịch vụ hỗ trợ ngôn ngữ miễn phí dành cho bạn. Gọi số 11-855-699-6262 (TTY : 1-800-955-8771).
ATENÇÃO: Se fala português, encontram-se disponíveis serviços linguísticos, grátis. Ligue para 1-855-699-6262 (TTY: 1-800-955-8771).
注意:如果您使用繁體中文，您可以免費獲得語言援助服務。請致電1-855-699-6262 (TTY: 1-800-955-8771)。
ATTENTION: Si vous parlez français, des services d’aide linguistique vous sont proposés gratuitement. Appelez le 1-855-699-6262 (ATS : 1-800-955-8771).
PAUNAWA: Kung nagsasalita ka ng Tagalog, maaari kang gumamit ng mga serbisyo ng tulong sa wika nang walang bayad. Tumawag sa 1-855-699-6262 (TTY: 1-800-955-8771).
ВНИМАНИЕ: Если вы говорите на русском языке, то вам доступны бесплатные услуги перевода. Звоните 1-855-699-6262 (телетайп: 1-800-955-8771).
ملحوظة: إذا كنت تتحدث اذكر اللغة، فإن خدمات المساعدة اللغوية تتوافر لك بالمجان. اتصل برقم 1-855-699-6262 (رقم هاتف الصم والبكم: 1-800-955-8771).
ATTENZIONE: In cask la lingua palatal said litigant, so no disponibili servizi di assistenza linguistica gratuiti. Chiamare il numero 1-855-699-6262 (TTY: 1-800-955-8771).
ACHTUNG: Wenn Sie Deutsch sprechen, stehen Ihnen kostenlos sprachliche Hilfsdienstleistungen zur Verfügung. Rufnummer: 1-855-699-6262 (TTY: 1-800-955-8771).
주의: 한국어를 사용하시는 경우, 언어 지원 서비스를 무료로 이용하실 수 있습니다. 1-855-699-6262 (TTY: 1-800-955-8771)번으로 전화해 주십시오.
UWAGA: Jeżeli mówisz po polsku, możesz skorzystać z bezpłatnej pomocy językowej. Zadzwoń pod numer 1-855-699-6262 (TTY: 1-800-955-8771).
સુચના: જો તમે ગુજરાતી બોલતા હો, તો નિ:શુલ્ક ભાષા સહાય સેવાઓ તમારા માટે ઉપલબ્ધ છે. ફોન કરો 1-855-699-6262 (TTY: 1-800-955-8771).
เรียน: ถา้ คุณพดู ภาษาไทยคุณสามารถใชบ้ ริการช่วยเหลือทางภาษาไดฟ้ รี โทร 1-855-699-6262 (TTY: 1-800-955-8771).