Privacy Incident at The Affiliated Group (“TAG”) – September 2018
What Happened? On or about March 28, 2018, we at The Affiliated Group (“TAG”), confirmed that an earlier phishing email incident in November 2017 involving TAG, resulted in unauthorized access to one TAG employee email account. Upon learning of the phishing email incident, we immediately disabled the account and reset all account passwords. Thereafter we worked with third-party forensic investigators to determine what happened, and whether sensitive information may have been accessible. With the assistance of the investigators, we learned that an unauthorized actor gained access to the one TAG employee email account. Unfortunately, the investigation was unable to determine which emails, if any, were specifically accessed as a result of this incident. The only confirmed unauthorized activity identified was the use of the account to send phishing emails in an attempt to harvest user credentials. Since the investigation was unable to rule out access to any specific email or attachment, we undertook a programmatic and manual review of the contents of the account.
What Information Was Involved? The thorough review of the account involved a programmatic and manual process that looked at every email and attachment in the account to identify the personal and protected health information present, verify whom the accessible information belonged to, and obtain a last known address to direct the notice of the incident. Through this lengthy and time-consuming process, our investigation determined that your name and some combination of protected and/or personal information including, Social Security number, driver’s license number/state identification number, and financial account or payment card number was potentially accessible in attachments contained within the email account. This information would have been shared with TAG as part of the collection services TAG performs on behalf of certain medical providers and other organizations. We currently have no evidence that any of your information was subject to actual or attempted misuse as a result of this incident.
What We Are Doing? We take the privacy of your information in our possession seriously. We have taken steps to further increase our security awareness to reduce the likelihood of a similar event from occurring in the future. We are providing notice of this event to those whose who may be affected, which includes access to free credit monitoring services. We also notified the affected creditor, to whom TAG was acting as collections agent for and we are notifying certain regulators as required.
What You Can Do. You can enroll and receive the free credit monitoring and identity restoration services we are offering through TransUnion®. You can also review the below Steps You Can Take to Protect Your Information for additional details on how to better protect against potential misuse of your information.
For More Information. We understand that you may have questions about this incident that are not addressed in this notice. If you have additional questions, please call our dedicated assistance line at (844) 801-5967, Monday through Friday, 8:00 a.m. to 8:00 p.m. CT (excluding US holidays).
STEPS YOU CAN TAKE TO PROTECT YOUR INFORMATION
We encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, explanation of benefits and to monitor your credit reports for suspicious activity. Under U.S. law you are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report.
At no charge, you can also have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it may also delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.
P.O. Box 105069
Atlanta, GA 30348
P.O. Box 2002
Allen, TX 75013
P.O. Box 2000
Chester, PA 19022-2000
You may also place a security freeze on your credit reports. A security freeze prohibits a credit bureau from releasing any information from a consumer’s credit report without the consumer’s written authorization. However, please be advised that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services. If you have been a victim of identity theft, and you provide the credit bureau with a valid police report, it cannot charge you to place, list or remove a security freeze. In all other cases, a credit bureau may charge you a fee to place, temporarily lift, or permanently remove a security freeze. You will need to place a security freeze separately with each of the three major credit bureaus listed above if you wish to place a freeze on all of your credit files. To find out more on how to place a security freeze, you can use the following contact information:
Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
Experian Security Freeze
P.O. Box 9554
Allen, TX 75013
P.O. Box 2000
Chester, PA 19022-2000
You can further educate yourself regarding identity theft, fraud alerts, and the steps you can take to protect yourself, by contacting the Federal Trade Commission or your state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. You have the right to file a police report if you ever experience identity theft or fraud. Please note that in order to file a crime report or incident report with law enforcement for identity theft, you will likely need to provide some kind of proof that they have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement. This notice has not been delayed by law enforcement. For Maryland residents, the Attorney General can be reached at: 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; 1-888-743-0023; and www.oag.state.md.us. For North Carolina residents, the Attorney General can be contacted by mail at 9001 Mail Service Center, Raleigh, NC 27699-9001; toll-free at 1-877-566-7226; by phone at 1-919-716-6400; and online at www.ncdoj.gov. For Rhode Island residents, the Attorney General can be contacted by mail at 150 South Main Street, Providence, RI 02903; by phone at (401) 274-4400; and online at www.riag.ri.gov. A total of 11 Rhode Island resident(s) may be impacted by this incident. For New Mexico residents, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to be provided to employers; you may limit “prescreened” offers of credit and insurance you get based on information in your credit report; and you may seek damages from violator. You may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage you to review your rights pursuant to the Fair Credit Reporting Act by visiting https://www.consumer.ftc.gov/sites/default/files/articles/pdf/pdf-0096-fair-credit-reporting-act.pdf, or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above.