ALISO VIEJO, Calif., March 15, 2019 — Covenant Care California, LLC (“Covenant Care”), provides supportive and resource services to certain affiliated licensed nursing facilities. Covenant Care recently became aware of a privacy incident that potentially affects the information of some patients who have received, or are currently receiving, services at those nursing facilities. While, to date, Covenant Care has no evidence of actual or attempted misuse of the information present in the account, in an abundance of caution, Covenant Care is providing notice of this event to potentially impacted iniduals, as well as to certain state and federal regulators.
On January 29, 2019, Covenant Care learned of suspicious activity related to an email account. Covenant Care immediately secured the account and commenced an investigation. Working with third-party forensic investigators and other vendors, Covenant Care determined that an unauthorized actor(s) had gained access to the email account between January 22, 2019 and January 29, 2019. Covenant Care then undertook a diligent review and analysis of the email account to determine what information was present at the time of unauthorized access. On February 13, 2019, Covenant Care determined that certain patient records were present in the account. This information varies by inidual and includes: full name; Social Security number or health insurance claim number; date of birth and/or date of death; provider(s) name and treatment location(s); medical record number; diagnoses or diagnosis-related groups (DRGs); dollar amounts billed to Medicare; Medicare covered days; admission, re-admission, dates of service, and/or discharge dates; and/or information related to ancillary services, such as home health, hospice, outpatient services, or durable medical equipment.
Covenant Care began mailing notice letters on March 6, 2019 to potentially affected iniduals for whom it has contact information. This notice includes an offer of access to twelve (12) months of credit monitoring and identity theft restoration services at no cost to the inidual. In addition, the notice encourages potentially impacted iniduals to remain vigilant against incidents of identity theft and fraud, to review account statements, and to monitor credit reports and explanation of benefits forms for suspicious activity and to detect errors. Covenant Care is providing potentially impacted iniduals information on obtaining a free credit report annually from each of the three major credit reporting bureaus by visiting www.annualcreditreport.com, calling 877-322-8228, or contacting the three major credit bureaus directly at: Equifax, P.O. Box 105069, Atlanta, GA, 30348, 1-800-685-1111, www.equifax.com; Experian, P.O. Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com; TransUnion, P.O. Box 2000, Chester, PA 19016, 800-680-7289, www.transunion.com. Potentially impacted iniduals may also find information regarding identity theft, fraud alerts, security freezes and the steps they may take to protect their information by contacting the credit bureaus, the Federal Trade Commission or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should also be reported to law enforcement and the inidual’s state Attorney General. Covenant Care has provided notice of this incident to the U.S. Department of Health and Human Services, as well as required state regulators, and the Federal Bureau of Investigation.
Information privacy and security are of the highest priority for Covenant Care. Upon learning of this incident, steps were quickly taken to secure the affected email account and a thorough investigation was initiated, which is ongoing at this time. The response to this incident includes working with forensic investigators and other third-party vendors to assist with the investigation, mitigation, and remediation activities. While strict security safeguards exist to protect patient information, Covenant Care’s response to this incident includes a reassessment of its systems and the technical and other safeguards present that are designed to protect those systems. In addition, employee retraining is being conducted regarding email safety awareness, and the policies and procedures on employee training regarding security generally are being reviewed for potential enhancements.
Covenant Care has established a dedicated line for iniduals seeking additional information regarding this incident. Iniduals may call 1-866-298-8060 (toll free), Monday through Friday, 6:00 a.m. to 3:30 p.m. PT.
SOURCE Covenant Care