Notice of NASCO/MOVEit cybersecurity attack
This notice applies to BlueAdvantage Administrators of Arkansas members affected by the NASCO -MOVEit Transfer by Progress Software (“MOVEit”) Breach. If you are affected by this breach expect to receive a notification letter from NASCO.
NASCO, a provider of benefits administration services to health plans, used a third-party software application, MOVEit Transfer by Progress Software (“MOVEit”), to exchange files. On May 30, 2023, NASCO experienced a data security incident in which an unauthorized third party acquired data from NASCO’s MOVEit instance. When NASCO learned of this issue on July 12, 2023, it promptly took steps to secure its systems, notified law enforcement, and launched an investigation with the support of a leading cybersecurity firm that found that some of the acquired files contained the personal information of certain individuals. NASCO is providing notification to certain affected individuals and offering them 24 months of complimentary enrollment in Experian’s identity monitoring services.
The affected information included name, demographic information (including address, phone number, gender, date of birth), health insurance number, claim information, Social Security number, medical ID number, date of service, medical information (such as diagnosis information), medical device or product purchased and provider/caregiver name. The affected personal information varies by individual.
NASCO takes the protection of personal information seriously, as data privacy and security are among our highest priorities. Upon discovering the incident, we promptly took steps to mitigate the risk to affected individuals and the affected personal information. We encourage affected individuals to remain vigilant against incidents of identity theft and fraud, to review their account statements, and to monitor their free credit reports for suspicious activity and to detect errors. Affected individuals should also review benefits documents that they receive from their heath plan to confirm that they received the health care services described. The Reference Guide below describes some steps individuals can take to protect their information.
Affected individuals with questions about the issue or how to enroll in Experian identity monitoring services may call 855-873- 7643 Monday through Friday between 9:00 a.m. and 11:00 p.m., and Saturday and Sunday between 11:00 am and 8:00 pm Eastern Time, excluding major U.S. holidays.
We apologize for any inconvenience or concern this may cause. NASCO takes security very seriously and protecting personal information is among our highest priorities. We have applied additional safeguards within our environment to further enhance threat prevention.
REFERENCE GUIDE
Affected individuals should remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and monitoring credit reports for unauthorized activity.
Credit Reports. Under federal law, U.S. individuals are entitled to one free copy of their credit report every 12 months from each of the three nationwide credit reporting agencies, which may be obtained by visiting www.AnnualCreditReport.com, or by calling (877) 322-8228. Annual free credit reports also may be obtained by completing the Annual Credit Report Request Form, available from the FTC at www.consumer.ftc.gov/articles/pdf-0093-annual-report-request-form.pdf, and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.
The nationwide credit reporting agencies may be contacted at:
Equifax | Experian | TransUnion |
---|---|---|
P.O. Box 105788 Atlanta, GA 30348 www.equifax.com (800) 525-6285 | P.O. Box 9554 Allen, TX 75013 www.experian.com (888) 397-3742 | P.O. Box 2000 Chester, PA 19016 www.transunion.com (800) 680-7289 |
Fraud Alerts. U.S. individuals may place a fraud alert on their file by calling one of the three nationwide credit reporting agencies above. A fraud alert tells creditors to follow certain procedures, including contacting the individual before they open any new accounts or change the individual’s existing accounts. For that reason, placing a fraud alert can provide protection, but also may delay an individual’s ability to obtain credit.
Credit Freezes (for Non-Massachusetts Residents): U.S. individuals may have the right to put a credit freeze, also known as a security freeze, on their credit file, so that no new credit can be opened in their name without the use of a PIN number that is issued when a freeze is initiated. A credit freeze is designed to prevent potential credit grantors from accessing an individual’s credit report without their consent. Upon placing a credit freeze, potential creditors and other third parties will not be able to get access to an individual’s credit report unless they temporarily lift the freeze. Therefore, using a credit freeze may delay an individual’s ability to obtain credit. In addition, an individual may incur fees to place, lift and/or remove a credit freeze. Credit freeze laws vary from state to state. The cost of placing, temporarily lifting, and removing a credit freeze also varies by state, generally $5 to $20 per action at each credit reporting company. Unlike a fraud alert, individuals must separately place a credit freeze on their credit file at each credit reporting company. Since the instructions for how to establish a credit freeze differ from state to state, please contact the three major credit reporting companies as indicated above.
More information about fraud alerts and credit freezes can be obtained by contacting the FTC (as described below) or one of the national credit reporting agencies listed above.
Credit Freezes (for Massachusetts Residents): Massachusetts law gives Massachusetts residents the right to place a security freeze on their consumer reports. A security freeze is designed to prevent credit, loans and services from being approved in an individual’s name without their consent. Using a security freeze, however, may delay an individual’s ability to obtain credit. An individual may request that a freeze be placed on their credit report by sending a request to a credit reporting agency by certified mail, overnight mail or regular stamped mail to the respective address indicated above.
Unlike a fraud alert, individuals must separately place a credit freeze on their credit file at each credit reporting company. The following information should be included when requesting a security freeze (documentation for the individual and their spouse must be submitted when freezing a spouse’s credit report): full name, with middle initial and any suffixes; Social Security number; date of birth (month, day and year); current address and previous addresses for the past five (5) years; and applicable fee (if any) or incident report or complaint with a law enforcement agency or the Department of Motor Vehicles. The request should also include a copy of a government-issued identification card, such as a driver’s license, state or military ID card, and proof of current residential address (e.g., a copy of a utility bill, bank or insurance statement). Each copy should be legible, display the individual’s name and current mailing address, and the date of issue (statement dates must be recent). If an individual has been a victim of identity theft, and they provide the credit reporting agency with a valid police report, the agency cannot charge to place, lift or remove a security freeze.
Report Incidents of Identity Theft. If an individual believes they are the victim of identity theft or have reason to believe their personal information has been misused, they should promptly report the issue to law enforcement, the FTC or their state Attorney General. For information on how to prevent or avoid identity theft, the FTC can be contacted at:
Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20508, www.ftc.gov, 1- 877-IDTHEFT (438-4338).
For North Carolina residents. For information on how to prevent identity theft, North Carolina residents can contact the North Carolina Office of the Attorney General, Consumer Protection Division at: 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov, 1-877-566-7226.