Notice of Data SECURITY INCIDENT

Broome County (“County”) recently discovered an incident that may affect the security of personal information of certain individuals who received care from or are associated with the certain County departments/offices listed below. We take this incident very seriously, and we have been working diligently, with the assistance of third-party forensic investigators, to determine the full nature and scope of this incident. We are taking additional actions to strengthen the security of our email systems moving forward.

 What happened? On January 2, 2019 the County became aware of changes to a County employee’s direct deposit information.  The County’s internal IT team immediately launched an investigation into the nature and scope of the incident. On or around January 7, 2019, the County’s investigation identified unauthorized access to numerous County employee email accounts and County employee PeopleSoft accounts as a result of a credentials harvesting phishing email. The County immediately launched an investigation to determine what may have happened and what information may have been affected. Working together with a leading computer forensics expert, their investigation determined that an unauthorized individual accessed the employee email account between November 20, 2018 and January 2, 2019.

Because we were unable to determine which email messages in the accounts may have been opened or taken by the unauthorized actor, we reviewed the contents of the email accounts to identify what personal information was stored within it. On April 1, 2019, after a thorough review of the email accounts, we confirmed that the affected email accounts contained sensitive information, and identified the individuals potentially impacted by this incident. Once we confirmed the individuals who were potentially impacted, the County worked to identify the best possible contact information for the impacted individuals and then began preparing an accurate written notice of this incident.

 What information may have been affected by this incident?  The following County divisions/departments were impacted by this incident:

 Willow Point Nursing Home and Rehabilitation & Nursing Center

  • Greater Binghamton Airport
  • Broome County Department of Social Services
  • Broome County District Attorney’s Office
  • Broome County Office for Aging
  • Broome County Office of Education and Training
  • Broome County Office of Emergency Services
  • Broome County Department of Health
  • Broome County Department of Planning and Economic Development
  • Broome County Department of Probation
  • Broome County Department of Public Transportation
  • Broome County Highway Division
  • Broome County Veterans Services Agency

 The County believes that the unauthorized actor may have had access to information related to certain individuals who received care from or are associated with the above referenced list of County departments/offices.  The data at risk includes the following types of information: name, contact information, Social Security number, bank account or other financial information, date of birth, medical record number, patient identification number, medical and/or clinical information including diagnosis and treatment information, health insurance and claims information, and credit card information for one impacted individual.  

 With the exception of direct deposit information for certain County employees, the County cannot confirm whether any specific information within the affected email accounts was actually accessed, viewed, or acquired without permission. They are providing this notification out of an abundance of caution to anyone whose information was accessible within the email accounts.

 How will individuals know if they are affected by this incident?The County will be mailing notice letters in the near future to any individuals whose protected information was contained within the affected email accounts and may have been accessed or acquired by an unauthorized actor. If an individual does not receive a letter but would like to know if they are affected, they may call the hotline listed below.

 What is Broome County doing? As part of our ongoing commitment to the security of personal information in our care, we are working to implement additional safeguards and security measures to enhance the privacy and security of our patient information, including multi-factor authentication and training for employees to prevent similar future incidents.  The County is providing notice to potentially impacted individuals by way of this notification and notifying the media. The County will be mailing notice letters to those individuals who are determined to be affected and for whom the County has confirmed mailing address information.  Information privacy and security remain one of our highest priorities. The County has strict security measures and will continue to protect the information in our possession.

 Whom should individuals contact for more information?The County has established a dedicated assistance line for individuals seeking additional information regarding this incident. Individuals may call 1-866-775-4209, 8:00 a.m. to 5:30 p.m. CT, Monday through Friday with questions or if they would like additional information.  Below is more information about what individuals can do to protect their identities.

   

Steps You Can Take to Protect Your Information

 

Monitor Your Accounts. To protect against the possibility of identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements, and to monitor your credit reports for suspicious activity.  Under U.S. law, you are entitled to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228.  You may also contact the three major credit bureaus directly to request a free copy of your credit report.

We recommend that you regularly review any Explanation of Benefits statements that you receive from your insurer.  If you see any service that you believe you did not receive, please contact your insurer at the number on your statement.  If you do not receive regular Explanation of Benefits statements, you can contact your insurer and request that they send such statements following the provision of services in your name or number.

 Credit Reports. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit reporting bureaus.  To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228.  You may also contact the three major credit bureaus directly to request a free copy of your credit report.

 

Security Freeze. You have the right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization.  The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent.  However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit.  Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report.  Should you wish to place a security freeze, please contact the major consumer reporting agencies listed below:

 

Experian

PO Box 9554

Allen, TX 75013

1-888-397-3742

www.experian.com/freeze/center.html

 

TransUnion

P.O. Box 2000

Chester, PA 19016

1-800-909-8872

www.transunion.com/credit-freeze

Equifax

PO Box 105788

Atlanta, GA 30348-5788

1-800-685-1111

www.equifax.com/personal/credit-report-services

 

 

To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and social security number) andthe PIN number or password provided to you when you placed the security freeze.  The credit bureaus have three (3) business days after receiving your request to remove the security freeze.

 As an alternative to a security freeze, you have the right to place an initial or extended “fraud alert” on your file at no cost.  An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file.  Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit.  If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years.  Should you wish to place a fraud alert, please contact any one of the agencies listed below:

 

Experian

P.O. Box 2002

Allen, TX 75013

1-888-397-3742

www.experian.com/fraud/center.html

TransUnion

P.O. Box 2000

Chester, PA 19106

1-800-680-7289

www.transunion.com/fraud-victim-resource/place-fraud-alert

Equifax

P.O. Box 105069

Atlanta, GA 30348

1-888-766-0008

www.equifax.com/personal/credit-report-services

 

Additional Information. You can further educate yourself regarding identity theft, and the steps you can take to protect yourself, by contacting your state Attorney General or the Federal Trade Commission.  The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them.  The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue, NW, Washington, DC 20580; www.ftc.gov/idtheft; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261.  Instances of known or suspected identity theft should be reported to law enforcement, your Attorney General, and the FTC. You can also further educate yourself about placing a fraud alert or security freeze on your credit file by contacting the FTC or your state’s Attorney General.