Notice of Data Breach

Welcome Health has determined that a data security incident may have resulted in limited unauthorized access to or disclosure of certain identifying information that we maintain on behalf of our patients and contracted workforce. 

What happened?

On July 8, 2024, we became aware of suspicious email activity that indicated unauthorized access to a Welcome Health user’s email account. We immediately terminated the user’s access to Welcome Health systems, launched an investigation and engaged third-party forensic experts to determine the nature and scope of the incident. 

Following an extensive forensic analysis, we learned that the user’s credentials were compromised and, because of the compromise, an unauthorized party was able to access certain Welcome Health systems. It is believed that the unauthorized access occurred from June 11, 2024, through July 8, 2024, and included the user’s emails and a limited number of Welcome Health files. Welcome Health initiated a comprehensive review of the data to determine what type of information was present and to whom it relates. The review was completed on August 12, 2024, and we identified protected health information (PHI) and personal information (PI) of some of our patients and contractors, respectively.

What information may have been involved?

While we have no evidence that any data was used for identity theft or fraud, our investigation determined that the following information was present in the files and emails potentially accessed by the unauthorized party and may have been impacted. Not all data categories were affected for every individual.

• Patients:  first name, last name, date of birth, patient number, health plan member number, claim number, dates of service, diagnosis, and treatment.
• Contractors:  first name, last name, social security number (SSN) or tax identification number (TIN).

What are we doing?

As soon as Welcome Health discovered the incident, we immediately terminated the unauthorized access, engaged a nationally recognized forensic investigator, and took steps to secure the affected systems. As a result of this incident, we have reinforced relevant policies and provided targeted security training to our workforce members. Additionally, we have enhanced our security posture to prevent similar incidents from occurring in the future.

Individuals affected by this incident are being mailed notices. We are also posting this notice on our website as permitted by HIPAA. This notice and toll-free number provided below will remain active for at least 90 days.

What you can do.

Welcome Health has arranged through Experian IdentityWorksSM  to provide complimentary credit monitoring and identity theft protection for a period of two (2) years to all impacted individuals. If your information was involved in the incident, you will receive a unique activation code that you can use to enroll online or via phone.  You will also be provided with a deadline to activate these free-of-charge services.  If you are reading this notice on our website and did not receive a notice through the mail but you think you may have been impacted, please call this toll-free phone number 833-931-4300 and reference engagement number B130083. The call center is available Monday through Friday from 6:00 am to 8:00 PST, or Saturday and Sunday 8:00 am to 5:00 pm PST (excluding major U.S. holidays).  

We encourage you to carefully review financial statements, credit reports and other accounts to ensure that all account activity is valid.

For more information.

If you have any questions or would like additional information, please refer to the STEPS YOU CAN TAKE TO HELP PROTECT PERSONAL INFORMATION below or call the toll-free phone number 833-931-4300 and reference engagement number B130083. The call center is available Monday through Friday from 6:00 am to 8:00 PST, or Saturday and Sunday 8:00 am to 5:00 pm PST (excluding major U.S. holidays).  

We regret any inconvenience or concern caused by this incident.  Welcome Health is committed to providing the best possible patient care and protecting the privacy and confidentiality of the information we maintain.

Sincerely,

Welcome Health

STEPS YOU CAN TAKE TO HELP PROTECT PERSONAL INFORMATION

Review your Account Statements

Carefully review communications and statements sent to you from Welcome Health, your insurance provider, and your financial institution. Report any questionable information or charges promptly. 

Provide any updated Personal Information

Welcome Health may ask to see a photo ID to verify your identity. Please have a photo ID available at every appointment, if possible. Welcome Health may also ask you to confirm your date of birth, address, telephone number and other pertinent information so that we can ensure all your information is current. Please be sure and tell Welcome Health when there are any changes to your contact information. Carefully reviewing this information with your provider at each visit can help to avoid problems and to address them quickly should there be any discrepancies.

Order Your Free Credit Report

To order your free annual credit report, visit www.annualcreditreport.com, call toll-free at (877) 322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s (“FTC”) website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. The three credit bureaus provide free annual credit reports only through the website, toll free number or request form.

Upon receiving your credit report, review it carefully. Look for accounts you did not open. Look in the “inquiries” section for names of creditors from whom you have not requested credit. Some companies bill under names other than their store or commercial names; the credit bureau will be able to tell if this is the case. Look in the “personal information” section for any inaccuracies in information (such as home address and Social Security Number).

If you see anything you do not understand, call the credit bureau at the telephone number on the report. Errors may be a warning sign of possible identity theft. You should notify the credit bureaus of any inaccuracies in your report, whether due to error or fraud, as soon as possible so the information can be investigated and, if found to be in error, corrected. If there are accounts or charges you did not authorize, immediately notify the appropriate credit bureau by telephone and in writing. Information that cannot be explained should also be reported to your local police or sheriff’s office because it may signal criminal activity.

Contact the U.S. Federal Trade Commission

If you detect any unauthorized transactions in any of your financial accounts, promptly notify the appropriate payment card company or financial institution. If you detect any incidents of identity theft or fraud, promptly report the matter to your local law enforcement authorities, state Attorney General and the FTC.

You can contact the FTC to learn more about how to protect yourself from becoming a victim of identity theft by using the contact information below:

Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, DC 20580
1-877-IDTHEFT (438-4338)
www.ftc.gov/idtheft

Place a Fraud Alert on Your Credit File

To protect yourself from possible identity theft, consider placing a fraud alert on your credit file. A fraud alert helps protect against the possibility of an identity thief opening new credit accounts in your name. When a credit grantor checks the credit history of someone applying for credit, the credit grantor gets a notice that the applicant may be the victim of identity theft. The alert notifies the credit grantor to take steps to verify the identity of the applicant. You can place a fraud alert on your credit report by calling any one of the toll-free fraud numbers provided below. You will reach an automated telephone system that allows flagging of your file with a fraud alert at all three credit bureaus.

Security Freezes

You have the right to request a credit freeze from a consumer reporting agency, free of charge, so that no new credit can be opened in your name without the use of a PIN number that is issued to you when you initiate a freeze. A security freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. If you place a security freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze. Therefore, using a security freeze may delay your ability to obtain credit.

Unlike a fraud alert, you must separately place a security freeze on your credit file at each credit bureau. To place a security freeze on your credit report, you must contact the credit reporting agency by phone, mail, or secure electronic means and provide proper identification of your identity. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue.

Below, please find relevant contact information for the three consumer reporting agencies:

Once you have submitted your request, the credit reporting agency must place the security freeze no later than 1 business day after receiving a request by phone or secure electronic means, and no later than 3 business days after receiving a request by mail. No later than five business days after placing the security freeze, the credit reporting agency will send you confirmation and information on how you can remove the freeze in the future.