Notice of Cybersecurity Incident
Acadia Health, LLC d/b/a Just Kids Dental’s (“Just Kids Dental” or “JKD“) is commitment to protecting the privacy and security of our patients’, parents’, and employees’ confidential information. We take information privacy very seriously, and it is important to us that you are made fully aware of any potential privacy issue. The purpose of this notice is to provide you with information about a recent data incident, our response to it, and additional steps you may take to better protect your personal information, should you feel it appropriate to do so.
On August 2, 2023 Acadia Health, LLC’s (“Just Kids Dental” or “JKD”) computer systems and network were attacked by a malicious actor. On the evening of August 7th, 2023, a program was used to encrypt JKD’s computer networks and data, including systems that Just Kids Dental uses to store certain patient and employee files. This incident was discovered on the morning of August 8, 2023.
What Information Was Involved
The information stored on the impacted servers related to you will depend on your relationship to Just Kids Dental:
- For patients, the affected personal information may have included your name, address, email, phone number(s), birth date, Social Security number, driver’s license number, health insurance policy information, treatment information including radiographic images, medical record number, account number, and health conditions.
- For patient parents or guardians, the affected personal information may have included your name, address, email, phone number(s), birth date, Social Security number, driver’s license number, and health insurance policy information.
- For current and former employees, the affected personal information may have included your name, Social Security number, local state and federal licensing information (NPI, DEA, and State licensing numbers).
At the time of the breach, less than 11% of our unique patient records included a Social Security Number.
Just Kids Dental does not hold any patient financial information with the exclusion of patient service charges rendered. No patient banking or credit card account information was obtained in this breach.
Just Kids Dental is not presently aware of any misuse of your information. We have negotiated with the malicious actor, and they have agreed to delete any data retained and confirmed the data has not been sold or distributed. At this time, we have no reason to believe any misuse of this data will come to our patients, parents, or employees. However, this notice is an abundance of caution so you can take the steps you feel necessary to protect your information; We strongly believe that every persons effected should remain vigilant in monitoring their credit report due to the number of recent cyber breaches.
What We Are Doing
We take the confidentiality, privacy, and security of information in our care seriously. Immediately after discovering the incident, JKD took steps to investigate the incident and secure and safely restore its systems and operations. In addition, JKD engaged with an independent subject matter expert to investigate the vector of the attack and determine the nature and scope of the incident and to assist in the remediation efforts. Mitigation efforts associated with this breach include negotiating with the threat actor.
The security and privacy of patient information contained within JKD’s systems is a top priority, and JKD is taking additional measures to protect this information. Since the incident, JKD has continued to strengthen its security posture by implement additional safeguards and review policies and procedures relating to data privacy and security.
What You Can Do
JKD encourages you to remain vigilant against incidents of identity theft and fraud, to monitor your account statements, and to watch for suspicious or unauthorized activity. If you suspect or discover that your information has been used inappropriately, please notify your local law enforcement or consumer protection agency.
We remind you it is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. The Federal Trade Commission also recommends placing a fraud alert on your credit file, which can be done through these credit reporting agencies. A fraud alert lets creditors know to contact you before opening any new accounts or changing current accounts. These agencies can also provide information about placing a security freeze on your credit files. By placing a freeze, someone who fraudulently obtains your personal information will not be able to use that information to open new accounts or borrow money in your name. Contact information for the three nationwide credit reporting companies is as follows:
PO Box 740241
Atlanta, GA 30374
PO Box 2002
Allen, TX 75013
PO Box 2000
Chester, PA 19016
If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows:
- Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue NW
Washington, DC 20580
Even if no suspicious activity is found, the Federal Trade Commission (“FTC”) recommends that you periodically check your credit reports. Personal information is not always used immediately. Rather, it can be held onto for later use or bundled with other persons’ information for batch sale. Checking your credit reports periodically can help you spot and address problems quickly. For more information and more tips from the FTC about protecting your information, please visit IdentityTheft.gov or call 1-877-ID-THEFT (877-438-4338).
Fraud Alerts and Credit or Security Freezes:
Fraud Alerts: There are two types of general fraud alerts you can place on your credit report to put your creditors on notice that you may be a victim of fraud—an initial alert and an extended alert. You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An initial fraud alert stays on your credit report for one year. You may have an extended alert placed on your credit report if you have already been a victim of identity theft with the appropriate documentary proof. An extended fraud alert stays on your credit report for seven years.
To place a fraud alert on your credit reports, contact one of the nationwide credit bureaus. A fraud alert is free. The credit bureau you contact must tell the other two, and all three will place an alert on their versions of your report.
For those in the military who want to protect their credit while deployed, an Active Duty Military Fraud Alert lasts for one year and can be renewed for the length of your deployment. The credit bureaus will also take you off their marketing lists for pre-screened credit card offers for two years, unless you ask them not to.
Credit or Security Freezes: You have the right to put a credit freeze, also known as a security freeze, on your credit file, free of charge, which makes it more difficult for identity thieves to open new accounts in your name. That’s because most creditors need to see your credit report before they approve a new account. If they can’t see your report, they may not extend the credit.
How do I place a freeze on my credit reports? There is no fee to place or lift a security freeze. Unlike a fraud alert, you must separately place a security freeze on your credit file at each credit reporting company. For information and instructions to place a security freeze, contact each of the credit reporting agencies at the addresses below:
- Experian Security Freeze, PO Box 9554, Allen, TX 75013, www.experian.com
- TransUnion Security Freeze, PO Box 2000, Chester, PA 19016, www.transunion.com
- Equifax Security Freeze, PO Box 105788, Atlanta, GA 30348, www.equifax.com
You’ll need to supply your name, address, date of birth, Social Security number and other personal information. After receiving your freeze request, each credit bureau will provide you with a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.
How do I lift a freeze? A freeze remains in place until you ask the credit bureau to temporarily lift it or remove it altogether. If the request is made online or by phone, a credit bureau must lift a freeze within one hour. If the request is made by mail, then the bureau must lift the freeze no later than three business days after getting your request.
If you opt for a temporary lift because you are applying for credit or a job, and you can find out which credit bureau the business will contact for your file, you can save some time by lifting the freeze only at that particular credit bureau. Otherwise, you need to make the request with all three credit bureaus.
Additional information for residents of the following states:
Connecticut: You may contact and obtain information from your state attorney general at: Connecticut Attorney General’s Office, 165 Capitol Ave, Hartford, CT 06106, 1-860-808-5318, www.ct.gov/ag.
District of Columbia: You may contact the Office of the Attorney General fo rhte District of Columbia, 441 4th Street NW, Suite 110 South, Washington D.C. 20001, https://www.oag.dc.gov/, 1-202-727-3400.
Maryland: You may contact and obtain information about avoiding identity theft from your state attorney general at: Maryland Attorney General’s Office, 200 St. Paul Place, Baltimore, MD 21202, 1-888-743-0023 / 1-410-576-6300, www.oag.state.md.us.
Massachusetts: This incident involves 1 individual in Massachusettes. Under Massachusetts law, you have the right to file and obtain a copy of a police report. You also have the right to request a security freeze, as described above. You may contact and obtain information from your state attorney general at: Office of the Massachusetts Attorney General, One Ashburton Place, Boston, MA 02108, 1-617-727-8400, www.mass.gov/ago/contact-us.html
New York: You may contact and obtain information from these state agencies: New York Department of State Division of Consumer Protection, One Commerce Plaza, 99 Washington Ave., Albany, NY 12231-0001, 518-474-8583 / 1-800-697-1220, http://www.dos.ny.gov/consumerprotection | New York State Office of the Attorney General, The Capitol, Albany, NY 12224-0341, 1-800-771-7755, https://ag.ny.gov
North Carolina: You may contact and obtain information from your state attorney general at: North Carolina Attorney General’s Office, 9001 Mail Service Centre, Raleigh, NC 27699, 1-919-716-6000 / 1-877-566-7226, www.ncdoj.gov.
Oregon: You are advised to report any suspected identity theft to law enforcement, including the FTC and Oregon Attorney General. For more informaiton on security locks, you can visit the Oregon Department of Conusmer and Commercial Services Website at www.dfcs.oregon.gov/id_theft.html and click “How to get a security freeze.”
Rhode Island: This incident involves 0 individuals in Rhode Island. Under Rhode Island law, you have the right to file and obtain a copy of a police report. You also have the right to request a security freeze, as described above. You may contact and obtain information from your state attorney general at: Rhode Island Attorney General’s Office, 150 South Main Street, Providence, RI 02903, 1-401-274-4400, www.riag.ri.gov
West Virginia: You have the right to ask that nationwide consumer reporting agencies place “fraud alerts” in your file to let potential creditors and others know that you may be a victim of identity theft, as described above. You also have a right to place a security freeze on your credit report, as described above.
A Summary of Your Rights Under the Fair Credit Reporting Act: The federal Fair Credit Reporting Act (FCRA) promotes the accuracy, fairness, and privacy of information in the files of consumer reporting agencies. There are many types of consumer reporting agencies, including credit bureaus and specialty agencies (such as agencies that sell information about check writing histories, medical records, and rental history records). Your major rights under the FCRA are summarized below. For more information, including information about additional rights, go to www.consumerfinance.gov/learnmore or write to: Consumer Financial Protection Bureau, 1700 G Street N.W., Washington, DC 20552.
- You must be told if information in your file has been used against you.
- You have the right to know what is in your file.
- You have the right to ask for a credit score.
- You have the right to dispute incomplete or inaccurate information.
- Consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information.
- Consumer reporting agencies may not report outdated negative information.
- Access to your file is limited.
- You must give your consent for reports to be provided to employers.
- You may limit “prescreened” offers of credit and insurance you get based on information in your credit report.
- You have a right to place a “security freeze” on your credit report, which will prohibit a consumer
reporting agency from releasing information in your credit report without your express authorization.
- You may seek damages from violators.
- Identity theft victims and active duty military personnel have additional rights.
For More Information
JKD sincerely regrets any inconvenience or concern that this Incident may cause you, and JKD remains dedicated to ensuring the privacy and security of all information with it’s control. If you have further questions or concerns, please contact us toll-free at (800) 279-0381 from 8:00 AM – 4:30 PM CST Monday – Friday, or check back here (online) for additional updates.
Is my banking/ Financial Information at risk?
- No – Just Kids Dental does not collect or store any financial information
How can I get a copy of a credit report?
- An annual credit report can be obtained from each of the three major credit bureaus at not cost.
- To gain access to a free credit report, please browse to: https://www.annualcreditreport.com
I am a patient/guardian of a patient of JKD. Am I affected?
- If you received notice from JKD, then yes, your information was involved in this incident.
I am a current/former employee of JKD. Am I affected?
- If you received notice from JKD, then yes, your information was involved in this incident.
What caused the data breach?
- The malicious actor exploited a vulnerability in our computing systems to install a malware program that forcibly encrypted the system and downloaded some of the data held on that system. That vulnerability has since been closed and is no longer at issue.
- The data breach was caused by a malicious actor exploiting a ‘Zero-Day’ vulnerability on an appliance we had hosted on our network.
What did you do about it and how are your preventing it in the future?
- Zero-Day vulnerabilities are names as such because they are unknown to us or supporting software/ hardware vendors. While it’s possible to mitigate risks, it’s not possible to eliminate them.
- This piece of hardware previously allowed our staff and doctors to treat patients outside of the office in a hospital setting.
- While this is an important piece of our infrastructure, we have decided to decommission the appliance and result to paper chartering while conducting hospital days to eliminate the possibility of a similar attack in the future. We are working to reduce our total threat surfaces.
- The cause of the breach was not due to any improper policies, employee training, mishandling of data, or user error. Though, those are possible threat surfaces.
- Just Kids Dental conducts routine HIPAA and Cyber Security training with all employees and maintains written HIPAA and security policies.
Can you tell me exactly what was involved in MY breach?
- While we can’t be sure of exactly what records where breached, we can tell you what records we have for you and/ or your children.
- You may call us Toll-Free at (800) 279-0381 from 8 AM to 4:30 PM CST.
- Depending on the nature of your call, and your questions, you may be asked to provide some information to verify your identity. We will not ask you for your Social Security Number.
Has my information been misused?
- At tis time, Just Kids Dental has no reason to believe any information related to this breach has been re-published or misused.
- We have been told by the threat actor that they have deleted the data, did not publish, sell or trade it.
- If you suspect or discover that your information has been used inappropriately, please notify your local law enforcement or consumer protection agency.
Who should I contact if I have questions?
- You can call us at (800) 279-0381 for more information
What are the risks of identify theft with the information that was exposed?
- Receiving a letter does not mean that you are a victim of identity theft. We are recommending that people review their letter and pay attention to the recommendations provided.