Notice of Security Incident
Professional Business Systems, Inc. d/b/a Practicefirst Medical Management Solutions and PBS Medcode Corp. (“Practicefirst” or “We”), a medical management company that processes data for health care providers, is providing notice of a recent incident that may affect the security of employee and patient information (“Information”).
On December 30, 2020, We learned that an unauthorized actor who attempted to deploy ransomware to encrypt our systems copied some files from our system, including files that contain limited patient and employee personal Information. Upon learning of this, We shut down our systems, changed passwords, alerted law enforcement, and retained national privacy and security experts.
We are not aware of any fraud or misuse of any of the Information as a result of this Incident. The actor who took the copy has advised that the Information is destroyed and was not shared.
What Information Was Involved?
The Information, copied from our system by the unauthorized actor before it was permanently deleted, included the following categories of information: name, address, email address, date of birth, driver’s license number, Social Security number, diagnosis, laboratory and treatment information, patient identification number, medication information, health insurance identification and claims information, tax identification number, employee username with password, employee username with security questions and answers, and bank account and/or credit card/debit card information.
This describes general categories of information involved in this Incident, many records did not include all categories.
What Is Practicefirst Doing?
We immediately reported the Incident to appropriate law enforcement authorities and implemented measures to further improve the security of our systems and practices. We worked with a leading privacy and security firm to aid in our investigation and response and will report this Incident to relevant government agencies. We also implemented additional security protocols designed to protect our network, email environment, and systems.
What Can Impacted Individuals Do?
We established a dedicated assistance line for individuals seeking additional information regarding this incident. Individuals seeking additional information may call the toll-free assistance line at 855-731-3351 with any questions about the Incident or health care provider(s) associated with this Incident. This toll-free line is available Monday through Friday, from 9:00 a.m. to 6:30 p.m. Eastern Time (excluding some U.S. national holidays). Potentially affected individuals may also consider the information and resources outlined below.
Steps You Can Take to Protect Your Personal Information
Practicefirst encourages individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and to monitor free credit reports for suspicious activity and to detect errors. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. To obtain a free credit report, individuals may visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Alternatively, affected individuals can contact the three major credit reporting bureaus directly at the addresses below:
Contact information for the three nationwide credit reporting companies is as follows:
Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111
Experian, PO Box 2104, Allen, TX 75013, www.experian.com, 1-888-397-3742
TransUnion, PO Box 2000, Chester, PA 19022, www.transunion.com, 1-800-888-4213
Free Credit Report. We remind you to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every twelve (12) months from each of the three (3) nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available from the U.S. Federal Trade Commission’s (“FTC”) website at www.consumer.ftc.gov) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.
For Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, Puerto Rico, and Vermont residents:
You may obtain one or more (depending on the state) additional copies of your credit report, free of charge. You must contact each of the credit reporting agencies directly to obtain such additional report(s).
Security Freeze. Security freezes, also known as credit freezes, restrict access to your credit file, making it harder for identity thieves to open new accounts in your name. You can freeze and unfreeze your credit file for free. You also can get a free freeze for your children who are under sixteen (16). And if you are someone’s guardian, conservator or have a valid power of attorney, you can get a free freeze for that person too.
How will these freezes work? Contact all three of the nationwide credit reporting agencies – Equifax, Experian, and TransUnion. If you request a freeze online or by phone, the agency must place the freeze within one business day. If you request a lift of the freeze, the agency must lift it within one hour. If you make your request by mail, the agency must place or lift the freeze within three business days after it gets your request. You also can lift the freeze temporarily without a fee.
Do not confuse freezes with locks. They work in a similar way, but locks may have monthly fees. If you want a free freeze guaranteed by federal law, then opt for a freeze, not a lock.
The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue.
For New Mexico residents: You may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act.
For Colorado and Illinois residents: You may obtain information from the credit reporting agencies and the FTC about security freezes.
Fraud Alerts. A fraud alert tells businesses that check your credit that they should check with you before opening a new account. As of September 18, 2018, when you place a fraud alert, it will last one year, instead of 90 days. Fraud alerts will still be free and identity theft victims can still get an extended fraud alert for seven years.
For Colorado and Illinois residents: You may obtain additional information from the credit reporting agencies and the FTC about fraud alerts.
Federal Trade Commission and State Attorneys General Offices. If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your home state. You may also contact these agencies for information on how to prevent or avoid identity theft. You may contact the Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/bcp/edu/microsites/idtheft/, 1-877-IDTHEFT (438-4338).
For Maryland Residents: You may contact the Maryland Office of the Attorney General, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us, 1-888-743-0023.
For North Carolina residents: You may contact the North Carolina Office of the Attorney General, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov, 1-877-566-7226.
For Rhode Island Residents: You may contact the Rhode Island Office of the Attorney General, 150 South Main Street, Providence, RI 02903, http://www.riag.ri.gov, 401-274-4400.
Reporting of identity theft and obtaining a police report.
You have the right to obtain any police report filed in the United States in regard to this incident. If you are the victim of fraud or identity theft, you also have the right to file a police report.
For Iowa residents: You are advised to report any suspected identity theft to law enforcement or to the Iowa Attorney General.
For Massachusetts residents: You have the right to obtain a police report if you are a victim of identity theft. You also have a right to file a police report and obtain a copy of it.
For Oregon residents: You are advised to report any suspected identity theft to law enforcement, the Federal Trade Commission, and the Oregon Attorney General.
For Rhode Island residents: You have the right to file or obtain a police report regarding this incident.