Notice of Cybersecurity Incident
Professional Business Systems, Inc. d/b/a Practicefirst Medical Management Solutions and PBS MedCode Corp. (“Practicefirst” or “We”), a medical management company that processes data for health care providers, is providing notice of a recent incident that may affect the security of employee and patient information (“Information”).
On December 30, 2020, We learned that an unauthorized actor who attempted to deploy ransomware to encrypt our systems copied some files from our system, including files that contain limited patient and employee personal Information. Upon learning of this, We shut down our systems, changed passwords, alerted law enforcement, and retained data security and privacy professionals.
We are not aware of any fraud or misuse of any of the Information as a result of this incident. The actor who took the copy has advised that it has since deleted the Information and did not share it.
What Information was Involved.
The Information copied from our system by the unauthorized actor before it was permanently deleted included the following categories of information: name, address, email address, date of birth, driver’s license number, Social Security number, diagnosis, laboratory and treatment information, patient identification number, medication information, health insurance identification and claims information, tax identification number, employee username with password, employee username with security questions and answers, and bank account and/or credit card card/debit card information.
This describes general categories of Information involved in this incident. Many records did not include all or even most of these categories. As detailed in “What You Can Do” below, if you have any questions regarding whether your Information was affected by the Incident, then please call the toll-free assistance line.
What We Are Doing.
We immediately reported the Incident to appropriate law enforcement authorities and implemented measures to further improve the security of our systems and practices. We reported the incident to relevant government agencies and have cooperated with their investigations.
We worked with data security and privacy professionals to aid our own investigation and response. We also implemented additional security protocols designed to protect our network, email environment, and systems.
In June and July 2021, We mailed letters to the affected individuals for whom we had recent mailing addresses to notify them of the incident. At the same time, We also posted a notice of the incident on our website, and issued a press release regarding the incident for distribution in popular print and digital news sources.
What You Can Do.
Experts encourage simple steps for protecting your personal information, including changing your passwords regularly, monitoring your personal accounts closely, reporting suspicious activity to your financial institutions, and never sharing your personal information with unknown or untrusted sources.
We established a dedicated assistance line for individuals seeking additional information regarding this incident. Individuals seeking additional information may call the toll-free assistance line at 866-347-6675 with any questions about the Incident or health care provider(s) associated with this Incident. This toll-free line is available Monday through Friday, from 9:00 a.m. to 6:30 p.m. Eastern Time (excluding some U.S. national holidays). Potentially affected individuals may also consider the information and resources outlined below.
In addition, we are offering, at no cost to impacted individuals, two years of credit and identity monitoring services. Please call the toll-free assistance line 866-347-6675 to verify whether you are an impacted individual and obtain an activation code. This offer does not apply to anyone that previously activated the service when initially offered. After you call the toll-free assistance line, verify your eligibility, and obtain an activation code, then please visit https://enroll.idheadquarters.com/redeem and enter your activation code to take advantage of these services. To sign into your account after you have activated the services, please visit login.idheadquarters.com.
Contact information for the three nationwide credit reporting agencies:
Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111
Experian, PO Box 2104, Allen, TX 75013, www.experian.com, 1-888-397-3742
TransUnion, PO Box 2000, Chester, PA 19022, www.transunion.com, 1-800-888-4213
Free Credit Report.
It is recommended that you remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your credit report for unauthorized activity. You may obtain a copy of your credit report, free of charge, once every twelve (12) months from each of the three nationwide credit reporting agencies.
You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available from the U.S. Federal Trade Commission’s (“FTC”) website at www.consumer.ftc.gov) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.
For Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, Puerto Rico, and Vermont residents:
You may obtain one or more (depending on the state) additional copies of your credit report, free of charge. You must contact each of the credit reporting agencies directly to obtain such additional report(s).
You may place a fraud alert in your file by calling one of the three nationwide credit reporting agencies above. A fraud alert tells creditors to follow certain procedures, including contacting you before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit.
You may obtain a security freeze on your credit report, free of charge, to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may also submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report, free of charge, or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act.
The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, you will be provided with a personal identification number, password, or similar device to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report to a specific party or parties or for a specific period of time after the freeze is in place.
To place a security freeze on your credit report, you may be able to use an online process, an automated telephone line, or a written request to any of the three credit reporting agencies listed above. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, and display your name, current mailing address, and the date of issue.
For New Mexico Residents:
You may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act.
Federal Trade Commission and State Attorneys General Offices.
If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your home state. You may also contact these agencies for information on how to prevent or avoid identity theft.
You may contact the Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/bcp/edu/microsites/idtheft/, 1-877-IDTHEFT (438-4338).
For Alabama Residents:
You may contact the Attorney General’s Office for the State of Alabama, Consumer Protection Division, 501 Washington Avenue, Montgomery, AL 36104, www.oag.state.md.us, 1-800-392-5658.
For District of Columbia Residents:
You may contact the District of Columbia Office of the Attorney General, 400 6th Street NW, Washington, D.C. 20001, email@example.com, (202) 442-9828.
For Illinois Residents:
You may contact the Illinois Office of the Attorney General, 100 West Randolph Street, Chicago, IL 60601, https://illinoisattorneygeneral.gov/about/email_ag.jsp, 1-800-964-3013.
For Iowa Residents:
You may contact the Iowa Office of the Attorney General, 1305 E. Walnut Street, Des Moines IA 50319, firstname.lastname@example.org, 1-888-777-4590.
For Kansas Residents:
You may contact the Kansas Office of the Attorney General, Consumer Protection Division, 120 SW 10th Ave, 2nd Floor, Topeka, KS 66612-1597, https://ag.ks.gov/, 1-800-432-2310.
For Kentucky Residents:
You may contact the Kentucky Office of the Attorney General, Consumer Protection Division, 1024 Capital Center Drive, Suite 200, Frankfort, Kentucky 40601, www.ag.ky.gov, 1-800-804-7556.