Title Image

Data Security Incident

Rocky Mountain Health Care Services Notifies Participants of Data Security Incident

Colorado Springs, CO ˗ April 30, 2019 ˗ Rocky Mountain Health Care Services, which also operates as Rocky Mountain PACE, BrainCare, and HealthRide (collectively “RMHCS”), has become aware of a data security incident that may have involved the personal and limited protected health information of some of its participants. Although at this time there is no evidence of any attempted or actual misuse of anyone’s information as a result of this incident, we have taken steps to notify all potentially impacted individuals and to provide resources to assist them.

On October 25, 2018, we discovered that an unknown individual gained access to one of our employee’s e-mail accounts. It appears that our employee may have been the victim of an email phishing campaign. The employee’s account contained stored e-mails that included some participants’ first and last name, address, date of birth, Social Security Number, Medicare/Medicaid identification number, and/or limited medical treatment information. We note that no financial account information was involved in this incident.

Upon discovering the incident, our IT department immediately prevented any further unauthorized access to the account by changing the employee’s password and email credentials. We also retained an independent computer forensics company to conduct an extensive IT investigation to determine what information may have been accessed. On January 18, 2019, the investigation confirmed that the incident was limited to the one employee’s email account, and that no other systems or servers were impacted. The detailed investigation also revealed that some participants’ information was contained in the email account at issue. However, the investigators did not find evidence that any personal information was in fact stolen or misused.

We take the security of all information in our control very seriously, and has taken steps to prevent a similar event from occurring in the future. Those steps include strengthening our cybersecurity posture by enabling multi-factor authentication for remote access to email accounts, updating the security configurations within our email network, and implementing additional security products to further protect our network.

We mailed letters to individuals potentially impacted by this event which include information about the incident and steps potentially impacted individuals can take to monitor and protect their personal information. We have also established a toll-free call center to answer questions about the incident and related concerns. The call center is available Monday through Friday from 7:00 a.m. to 4:30 p.m. Mountain Time and can be reached at 1-866-775-4209.

The privacy and protection of personal information is a top priority for RMHCS, which sincerely regrets any concern or inconvenience that this matter may cause.

The following information is provided to help individuals wanting more information on steps they can take to protect themselves:

How do I obtain a copy of my credit report?
You can obtain a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies. To order your credit report, free of charge once every 12 months, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting agencies is included in the e-mail and letter, and is also listed at the bottom of this page.

How do I put a fraud alert on my account?
You may consider placing a fraud alert on your credit report. This fraud alert statement informs creditors to possible fraudulent activity within your report and requests that your creditor contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact Equifax, Experian or TransUnion and follow the Fraud Victims instructions. To place a fraud alert on your credit accounts, contact your financial institution or credit provider. Contact information for the three nationwide credit reporting agencies is included in the letter and is also listed at the bottom of this page.

Contact information for the three nationwide credit reporting agencies is as follows:

Equifax Security Freeze
PO Box 105788
Atlanta, GA 30348

Experian Security Freeze
PO Box 9554
Allen, TX 75013

TransUnion (FVAD)
PO Box 2000
Chester, PA 19022