OrthoWest, LLC, dba OrthoNebraska Clinics and Nebraska Orthopaedic Hospital LLC, dba OrthoNebraska Hospital (“OrthoNebraska”) is committed to protecting the privacy and security of the personal information we maintain. We recently learned that some information provided to our vendor, Welltok, Inc. or Virgin Pulse, Inc. (“Welltok”), was involved in a data breach. OrthoNebraska’s systems were not affected. Welltok is providing notice of the event and making resources available to individuals to help protect their information, should they feel it appropriate to do so.
What Happened? On July 26, 2023, Welltok was alerted to an earlier alleged compromise of its MOVEit Transfer server in connection with software vulnerabilities made public by the developer of the MOVEit Transfer tool. As a user of that tool, Welltok moved quickly to apply available patching and undertook recommended mitigation steps. Welltok promptly launched an internal investigation, with the assistance of third-party cybersecurity specialists, to determine the potential impact of the vulnerabilities’ presence on the MOVEit Transfer server and the security of data housed on the server. The investigation determined that an unknown actor exploited vulnerabilities, accessed the MOVEit Transfer server on May 30, 2023, and exfiltrated certain data from the MOVEit Transfer server during that time. Welltok subsequently undertook an exhaustive and detailed review of the data stored on the server at the time of this incident to understand the contents of that data and to whom that data relates.
What Information Was Involved? While we have no evidence that any of personal or protected health information has been misused, Welltok is notifying impacted individuals by mail, to the extent a last known address is available, and providing information and resources to help individuals protect their personal information. The following types of information may have been impacted: name, address, phone number, email address, date of birth, health insurance information, treatment cost information, and medical information, including treatment/diagnosis, provider name, MRN/patient ID. The type of information at issue varies for each person.
What We Are Doing. We take this event and the security of personal information in our care very seriously. Upon learning of this event, we worked with Welltok to understand the full scope of the incident and to ensure the appropriate mitigation steps had been taken to prevent events like this in the future. Welltok is notifying impacted individuals for whom a valid mailing address is available via U.S. mail and offering them credit monitoring and identity protection services.
How Will Individuals Know If They Are Affected By This Incident? Welltok is mailing a notice letter to individuals whose information was determined to be in the affected files, for whom we have a valid mailing address. If an individual does not receive a letter but would like to know if they are affected, they may call Welltok’s dedicated assistance line at 800-628-2141.
For More Information. For individuals seeking more information or who have questions, please call the dedicated toll-free helpline at 800-628-2141.
What You Can Do. We encourage individuals to remain vigilant against incidents of identity theft and fraud by reviewing your account statements, explanation of benefits forms, and monitoring your free credit reports for suspicious activity and to detect errors. Under U.S. law individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report, place a fraud alert, or a security freeze. Contact information for the credit bureaus is below:
Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the three major credit reporting bureaus listed below.
As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a credit freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report. To request a security freeze, you may need to provide the following information, depending on whether the request is made online, by phone, or by mail:
- Full name (including middle initial as well as Jr., Sr., II, III, etc.);
- Social Security number;
- Date of birth;
- Addresses for the prior two to five years;
- Proof of current address, such as a current utility bill or telephone bill;
- A legible photocopy of a government-issued identification card (state driver’s license or ID card, etc.); and
- A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if you are a victim of identity theft.
Should you wish to place a fraud alert or a credit freeze, please contact the three major credit reporting bureaus listed below:
|Equifax Fraud Alert, P.O. Box 105069 Atlanta, GA 30348-5069
|Experian Fraud Alert, P.O. Box 9554, Allen, TX 75013
|TransUnion Fraud Alert, P.O. Box 2000, Chester, PA 19016
|Equifax Credit Freeze, P.O. Box 105788 Atlanta, GA 30348-5788
|Experian Credit Freeze, P.O. Box 9554, Allen, TX 75013
|TransUnion Credit Freeze, P.O. Box 160, Woodlyn, PA 19094
You may further educate yourself regarding identity theft, fraud alerts, credit freezes, and the steps you can take to protect your personal information by contacting the consumer reporting bureaus, the Federal Trade Commission, or your state Attorney General. The Federal Trade Commission may be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above. You have the right to file a police report if you ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and your state Attorney General. This notice has not been delayed by law enforcement.
Protecting Your Medical Information
The following practices can provide additional safeguards to protect against medical identity theft.
- Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care.
- Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or care provider for any items you do not recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access (noted above) to current date.
- Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow up with your insurance company or the care provider for any items you do not recognize.
Iowa Residents: You may contact law enforcement or the Iowa Attorney General’s Office to report suspected incidents of identity Theft: Office of the Attorney General of Iowa, Consumer Protection Division, Hoover State Office Building, 1305 East Walnut Street, Des Moines, IA 50319, www.iowaattorneygeneral.gov, Telephone: 515-281-5164.
Maryland Residents: You may obtain information about avoiding identity theft from the Maryland Attorney General’s Office: Office of the Attorney General of Maryland, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, https://www.marylandattorneygeneral.gov/, Telephone: 888-743-0023.
Massachusetts Residents: Under Massachusetts law, you have the right to obtain a police report in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.
New York Residents: You may obtain information about preventing identity theft from the New York Attorney General’s Office: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; https://ag.ny.gov/consumer-frauds-bureau/identity-theft; Telephone: 800-771-7755.
North Carolina Residents: You may obtain information about preventing identity theft from the North Carolina Attorney General’s Office: Office of the Attorney General of North Carolina, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov/, Telephone: 877-566-7226 (Toll-free within North Carolina), 919-716-6000.
Oregon Residents: You may obtain information about preventing identity theft from the Oregon Attorney General’s Office: Oregon Department of Justice, 1162 Court Street NE, Salem, OR 97301-4096, www.doj.state.or.us/, Telephone: 877-877-9392.
Washington D.C. Residents: You may obtain information about preventing identity theft from the Office of the Attorney General for the District of Columbia, 400 6th Street NW, Washington D.C. 20001, https://oag.dc.gov/consumer-protection, Telephone: 202-442-9828.
New Mexico Residents: You have rights under the federal Fair Credit Reporting Act (FCRA). These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit www.consumer.ftc.gov/sites/default/files/articles/pdf/pdf-0096-fair-credit-reporting-act.pdf or www.ftc.gov.
Rhode Island Residents: You may contact law enforcement, such as the Rhode Island Attorney General’s Office, to report incidents of identity theft or to learn about steps you can take to protect yourself from identity theft. You can contact the Rhode Island Attorney General at: Rhode Island Office of the Attorney General, 150 South Main Street, Providence, RI 02903, www.riag.ri.gov, 401-274-4400. There was 1 Rhode Island resident impacted by this incident.