This notice is from The Medibase Group, Inc. (“Medibase,” “We,” “Us,” or “Our”) about a recent security incident. Medibase provides services to health care providers. Because Medibase works as a vendor to health care providers and their business associates, personal information, including health information, has been impacted in this incident.

Medibase is posting this substitute notice to provide customers and individuals with information about the criminal cyberattack on Medibase systems and to share resources available to people who believe their personal data may have been impacted.

The review of personal information involved in this incident is now complete. Medibase is providing this notice to help individuals understand what happened, let them know that their information may have been impacted, and give them information on steps they can take to protect their privacy, including enrolling in complimentary credit monitoring and identity theft protection services if they believe that their information may have been impacted.

This substitute notice contains the information Medibase can provide at this time. Medibase has identified affected individuals and plans to mail written letters to those individuals for whom we have a sufficient address. Please note, we may not have sufficient addresses for all affected individuals. The mailing process is expected to begin immediately as Medibase completes quality assurance procedures.

What Happened? On or around May 8, 2024, Medibase notified certain healthcare providers about a cybersecurity incident involving an unauthorized party gaining access to one of Medibase’s systems and confirmed that the incident may have affected the personal information of certain individuals. The incident occurred on or around January 26, 2024. Promptly after discovering the incident, we initiated a response to the incident, and took the necessary protective actions to stop the unauthorized access to the system.  We thereafter engaged a leading security and forensics company to conduct an investigation into the matter. Medibase also subsequently reported this incident to U.S. federal law enforcement. At no time did this incident involve access to any of the healthcare providers’ systems or networks.

Medibase does not believe the unauthorized party targeted any individuals’ personal information or intended to harm individuals. Instead, the evidence suggests the unauthorized party was motivated to target Medibase and its company information, as is common with these types of cybersecurity incidents.

What Personal Information Is Involved? Medibase determined that the personal information impacted may have included full name, Social Security number, date of birth, admit and discharge date, outstanding balance amounts, and insurance information.  No clinical information or other sensitive financial account or payment-related information was impacted.

What We Are Doing. We are taking this matter very seriously. In addition to the actions described above, it is our priority to continue to evaluate and deploy the level of robust security protocols, continuous monitoring, and staff training needed to prevent and defend against future sophisticated cybersecurity threats. Notice was also provided to federal law enforcement and to the U.S. Department of Health and Human Services.

What Affected Individuals Can Do. Potentially affected individuals are encouraged to, as always, remain vigilant and monitor their account statements, financial transactions, and free credit reports for potential fraud and identity theft, and promptly report any concerns. We suggest you regularly review bills, notices, and statements, and promptly report any questionable or suspicious activity. You can also find out more about how to safeguard your information by reviewing the below Recommended Steps to Help Protect Your Information.

For More Information. If you have any questions regarding this incident, please email us at questions@medibase.com.

 

Recommended Steps to Help Protect Your Information

Review Your Credit Reports. We recommend that you remain vigilant by reviewing account statements and monitoring credit reports. Under federal law, you also are entitled every 12 months to one free copy of your credit report from each of the three major credit reporting companies. To obtain a free annual credit report, go to www.annualcreditreport.com or call 1-877-322-8228. You may wish to stagger your requests so that you receive a free report by one of the three credit bureaus every four months.

Contact the U.S. Federal Trade Commission

If you detect any unauthorized transactions in any of your financial accounts, promptly notify the appropriate payment card company or financial institution.  If you detect any incidents of identity theft or fraud, promptly report the matter to your local law enforcement authorities, state Attorney General and the FTC.

You can contact the FTC to learn more about how to protect yourself from becoming a victim of identity theft by using the contact information below:

Federal Trade Commission

Consumer Response Center

600 Pennsylvania Avenue, NW

Washington, DC 20580

1-877-IDTHEFT (438-4338)

www.ftc.gov/idtheft/

 

Place Fraud Alerts with the Three Credit Bureaus. If you choose to place a fraud alert, we recommend you do this after activating your credit monitoring. You can place a fraud alert at one of the three major credit bureaus by phone and also via Experian’s or Equifax’s website. A fraud alert tells creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit. The contact information for all three bureaus is as follows:

Credit Bureaus

Equifax Fraud Reporting 1-866-349-5191 P.O. Box 105069 Atlanta, GA 30348-5069 www.equifax.com

Experian Fraud Reporting 1-888-397-3742 P.O. Box 9554 Allen, TX 75013 www.experian.com

TransUnion Fraud Reporting 1-800-680-7289 P.O. Box 2000 Chester, PA 19022-2000 www.transunion.com

 

It is necessary to contact only ONE of these bureaus and use only ONE of these methods. As soon as one of the three bureaus confirms your fraud alert, the others are notified to place alerts on their records as well. You will receive confirmation letters in the mail and will then be able to order all three credit reports, free of charge, for your review. An initial fraud alert will last for one year.

Please Note: No one is allowed to place a fraud alert on your credit report except you.

Security Freeze. By placing a security freeze, someone who fraudulently acquires your personal identifying information will not be able to use that information to open new accounts or borrow money in your name. You will need to contact the three national credit reporting bureaus listed above to place the freeze. Keep in mind that when you place the freeze, you will not be able to borrow money, obtain instant credit, or get a new credit card until you temporarily lift or permanently remove the freeze. There is no cost to freeze or unfreeze your credit files. This can be accomplished by contacting the credit bureaus listed below:

Equifax Security Freeze	P.O. Box 105788 Atlanta, GA 30348	1-800-685-1111	www.equifax.com
Experian Security Freeze	P.O. Box 9554 Allen, TX 75013	1-888-397-3742	www.experian.com
TransUnion	P.O. Box 160 Woodlyn, PA 19094	1-888-909-8872	www.transunion.com

 

Additional Information. You can obtain additional information about the steps you can take to avoid identity theft from the following agencies. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them.

Massachusetts	You have the right to obtain a police report with respect to this incident.  If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.
New York	You may also obtain information about security breach response and identity theft prevention and protection from the New York Attorney General’s Office: Office of the Attorney General, The Capitol, Albany, NY 12224-0341, 1-800-771-7755, www.ag.ny.gov.
North Carolina	You may also obtain information about preventing and avoiding identity theft from the North Carolina Attorney General’s Office: North Carolina Attorney General’s Office, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, 1-919-716-6000, www.ncdoj.gov.