Notice of Data Security Incident

Consumer Notification Letter

• American Sign Language (ASL)
• Chinese
• English
• Haitian Creole
• Portuguese
• Spanish
• Vietnamese

Notice of Data Security Incident

FRAMINGHAM, MASS.: May, 11, 2022 – Behavioral Health Partners of MetroWest LLC (“BHPMW”) a Massachusetts based organization which partners with local and state healthcare providers to provide better access and care coordination has learned of a data security incident that may have impacted data belonging to current and former individuals referred to BHPMW.  BHPMW operates a Behavioral Health Community Partner Program under contract with MassHealth and in collaboration with 5 provider agencies – Advocates, Family Continuity, SMOC, Spectrum Health Systems, and Wayside Youth and Family Support. BHPMW sent notification of this incident to potentially impacted individuals with identifiable address information and has provided resources to assist them. 

On October 1, 2021, BHPMW was informed that BHPMW data had been copied from its digital environment by an unauthorized actor. Upon discovering this activity, BHPMW took steps to secure the digital environment.  We also engaged a leading cybersecurity firm to assist with an investigation to determine whether personal information may have been accessed or acquired without authorization in conjunction with the attack.  The investigation revealed that an unknown actor gained access to and obtained data from a network storing BHPMW data between September 14, 2021 and September 18, 2021.  

The following personal and protected health information may have been involved in the incident: name, address, Social Security number, date of birth, client identification number, health insurance information, and medical diagnosis or treatment information. 

Following the investigation, BHPMW began collecting the contact information needed to provide notice to potentially affected individuals. The Federal Bureau of Investigation was notified and BHPMW will provide whatever cooperation is necessary to hold the perpetrators accountable, if possible. BHPMW takes the security and privacy of service recipient information very seriously and is taking additional steps to prevent a similar event from occurring in the future.

Beginning on May 11, 2022, BHPMW mailed notice of this incident to potentially impacted individuals.  In this notification letter, BHPMW provided information about the incident and about steps that potentially impacted individuals can take to protect their information.  BHPMW also offered individuals access to complimentary credit monitoring and identity protection services through IDX.  

BHPMW has established a toll-free call center to answer questions about the incident and to address related concerns.  Call center representatives are available Monday through Friday between 9:00 am – 9:00 pm Eastern Time and can be reached at (833) 774-2040.  All potentially impacted individuals may qualify for complimentary credit monitoring and identity protection services through IDX.  Individuals who have not received a notification letter must obtain verification of eligibility through the call center to enroll in services. 

The privacy and protection of personal and protected health information is a top priority for BHPMW, which deeply regrets any inconvenience or concern this incident may cause.

While we are not aware of the misuse of any potentially affected individual’s information, we are providing the following information to help those who want to know more about steps they can take to protect themselves and their personal information:

What steps can I take to protect my personal information?

• Please notify your financial institution immediately if you detect any suspicious activity on any of your accounts, including unauthorized transactions or new accounts opened in our name that you do not recognize. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities.
• You can request a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies. To do so, free of charge once every 12 months, please visit www.annualcreditreport.com or call toll free at 1-833-365-2599. Contact information for the three nationwide credit reporting agencies is listed at the bottom of this page.
• You can take steps recommended by the Federal Trade Commission to protect yourself from identify theft. The FTC’s website offers helpful information at www.ftc.gov/idtheft. 

• Additional information on what you can do to better protect yourself is included in your notification letter.

How do I obtain a copy of my credit report?

You can obtain a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies.  To order your credit report, free of charge once every 12 months, please visit www.annualcreditreport.com  or call toll free at 1-877-322-8228. Use the following contact information for the three nationwide credit reporting agencies:

TransUnion P.O. Box 1000 Chester, PA 19016 1-800-916-8800 www.transunion.com

Experian P.O. Box 9532 Allen, TX 75013 1-888-397-3742 www.experian.com

Equifax P.O. Box 105851 Atlanta, GA 30348 1-800-685-1111 www.equifax.com

How do I put a fraud alert on my account?

You may consider placing a fraud alert on your credit report. This fraud alert statement informs creditors to possible fraudulent activity within your report and requests that your creditor contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact Equifax, Experian or TransUnion and follow the Fraud Victims instructions. To place a fraud alert on your credit accounts, contact your financial institution or credit provider. Contact information for the three nationwide credit reporting agencies is included in the letter and is also listed at the bottom of this page.

How do I put a security freeze on my credit reports?

You also have the right to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans and services from being approved in your name without your consent. To place a security freeze on your credit report, you need to make a request to each consumer reporting agency. You may make that request by certified mail, overnight mail, or regular stamped mail, or online by following the instructions found at the websites listed below. You will need to provide the following information when requesting a security freeze (note that if you are making a request for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) address. You may also be asked to provide other personal information such as your email address, a copy of a government-issued identification card, and  a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. There is no charge to place, lift, or remove a freeze. You may obtain a security freeze by contacting any one or more of the following national consumer reporting agencies:

Equifax Security Freeze         Experian Security Freeze            TransUnion (FVAD)

PO Box 105788                       PO Box 9701                                PO Box 2000 

Atlanta, GA 30348        Allen, TX 75013           Chester, PA 19022

1-800-685-1111       1-888-397-3742           1-800-909-8872 

www.equifax.com       www.experian.com             www.transunion.com

What should I do if my family member was involved in the incident and is deceased?

You may choose to notify the three major credit bureaus, Equifax, Experian and Trans Union, and request they flag the deceased credit file. This will prevent the credit file information from being used to open credit. To make this request, mail a copy of your family member’s death certificate to each company at the addresses below. 

     Equifax                                       Experian                                     TransUnion

     Equifax Information Services       Experian Information Services     Trans Union Information Services

     P.O. Box 105169                          P.O. Box 9701                              P.O. Box 2000

     Atlanta, GA 30348                        Allen, TX 75013                           Chester, PA 19022

What should I do if my minor child or protected person’s information was involved in the incident?

You can request that each of the three national credit reporting agencies perform a manual search for a minor’s or protected person’s Social Security number to determine if there is an associated credit report. Copies of identifying information for the minor and parent/guardian may be required, including birth or adoption certificate, Social Security card and government-issued identification card. If a credit report exists, you should request a copy of the report and immediately report any fraudulent accounts to the credit reporting agency. You can also report any misuse of a minor’s information to the FTC at https://www.identitytheft.gov/. For more information about Child Identity Theft and instructions for requesting a manual Social Security number search, visit the FTC website:

https://www.consumer.ftc.gov/articles/0040-child-identity-theft. Contact information for the three national credit reporting agencies may be found above.