September 26, 2024
The privacy and security of the personal information we maintain is of the utmost importance to Community Clinic of Maui, Inc., dba Mālama I Ke Ola Health Center (“Mālama”). We are writing with important information regarding a data security incident.
On May 7, 2024, Mālama experienced a cybersecurity incident that impacted connectivity to its network. Upon learning of this issue, Mālama immediately commenced a prompt and thorough investigation. Mālama also notified law enforcement. As part of the investigation, Mālama has been working very closely with external cybersecurity professionals experienced in handling these types of incidents. After an extensive forensic investigation and comprehensive document review, on August 7, 2024, Mālama determined personal data may have been subject to unauthorized access and acquisition between May 4, 2024 and May 7, 2024. The personal information that was potentially impacted included first and last names with one or more of the following identifiers: Social Security Number, Date Of Birth, Driver's License Number / State Id Number, Passport Number, Financial Account Number, Routing Number, Bank Name, Credit / Debit Card Number, Card CVV Expiration Date, Pin/Security Code, Login Information, Medical Diagnosis, Clinical Information, Medical Treatment/Procedure Information, Treatment Type, Treatment Location, Treatment Cost Information, Doctor's Name, Medical Record Number, Patient Account Number, Prescription Information and/ or Biometric Data. Mālama has no evidence that any personal information has been or will be misused for identity theft as a direct result of this incident. However, out of abundance of caution, commencing on September 26, 2024, Mālama notified impacted individuals whose contact information was on file. Notified individuals have been provided with best practices to protect their information, and individuals whose Social Security numbers were potentially impacted have been offered complimentary credit monitoring. Notified individuals should also review the preventive measures outlined in the “Other Important Information” section. Mālama is committed to maintaining the privacy of personal information in its possession and has taken many precautions to safeguard it. Mālama continually evaluates and modifies its practices to enhance the security and privacy of the personal information it maintains. Mālama has also established a call center to address questions from impacted individuals.
Representatives are available between the hours of 9:00 a.m. to 9:00 p.m. Eastern time, Monday through Friday, excluding major U.S. holidays, at the number: 1-866-311-1677.
Under federal law, you are entitled to one free credit report every 12 months from each of the three major nationwide credit reporting companies. You can obtain a free copy of your credit report by calling 1-877-322-8228, visiting www.annualcreditreport.com or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You can access the request form https://www.annualcreditreport.com/index.action. Alternatively, you can elect to purchase a copy of your credit report by contacting one of the three national credit reporting agencies. The three nationwide credit reporting agencies' contact information are provided below:
Equifax
P.O. Box 105069
Atlanta, GA 30348-5069https://www.equifax.com/personal/credit-report-services/credit-fraud-alerts/ (800) 525-6285
Experian
P.O. Box 9554
Allen, TX 75013https://www.experian.com/fraud/center.html(888) 397-3742
TransUnion
Fraud Victim Assistance Department
P.O. Box 2000
Chester, PA 19016-2000https://www.transunion.com/fraud-alerts (800) 680-7289
Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.
You can place an initial 1-year “fraud alert” on your credit files, at no charge. An initial fraud alert is free and will stay on your credit file for at least twelve months. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you before establishing any accounts in your name. To place a fraud alert, call any one of the three major credit bureaus at the numbers listed below. As soon as one credit bureau confirms your fraud alert, they will notify the others. Additional information is available at https://www.equifax.com/personal/credit-report-services/credit-fraud-alerts/.
Equifax
P.O. Box 105069
Atlanta, GA 30348-5069https://www.equifax.com/personal/credit-report-services/credit-fraud-alerts/ (800) 525-6285
Experian
P.O. Box 9554
Allen, TX 75013https://www.experian.com/fraud/center.html(888) 397-3742
TransUnion
Fraud Victim Assistance Department
P.O. Box 2000
Chester, PA 19016-2000https://www.transunion.com/fraud-alerts (800) 680-7289
The following is general information about how to request a security freeze from the three credit reporting agencies at no charge. While we believe this information is accurate, you should contact each agency for the most accurate and up-to-date information. A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit, mortgages, employment, housing, or other services. There might be additional information required, and as such, to find out more information, please contact the three nationwide credit reporting agencies (contact information provided below). You may place a security freeze on your credit report by contacting all three nationwide credit reporting companies at the numbers below and following the stated directions or by sending a request in writing, by mail, to all three credit reporting companies:
Equifax
P.O. Box 105069
Atlanta, GA 30348-5069https://www.equifax.com/personal/credit-report-services/credit-fraud-alerts/ (800) 525-6285
Experian
P.O. Box 9554
Allen, TX 75013https://www.experian.com/fraud/center.html(888) 397-3742
TransUnion
Fraud Victim Assistance Department
P.O. Box 2000
Chester, PA 19016-2000https://www.transunion.com/fraud-alerts (800) 680-7289
In order to place the security freeze, you will need to supply your name, address, date of birth, Social Security number and other personal information. After receiving your freeze request, each credit reporting company will send you a confirmation letter containing a unique PIN (personal identification number) or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.
If your personal information has been used to file a false tax return, to open an account or to attempt to open an account in your name or to commit fraud or other crimes against you, you may file a police report in the City in which you currently reside.
We have no evidence that your medical information involved in this incident was or will be used for any unintended purposes. However, the following practices can provide additional safeguards to protect against medical identity theft.
Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Checking your credit report periodically can help you spot problems and address them quickly.
If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call your local law enforcement agency and file a police report. Be sure to obtain a copy of the police report, as many creditors will want the information it contains to absolve you of the fraudulent debts. You may also file a complaint with the FTC by contacting them on the web at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Your complaint will be added to the FTC’s Identity Theft Data Clearinghouse, where it will be accessible to law enforcement for their investigations. In addition, you may obtain information from the FTC about fraud alerts and security freezes.
Iowa Residents: You may contact law enforcement or the Iowa Attorney General’s Office to report suspected incidents of identity Theft: Office of the Attorney General of Iowa, Consumer Protection Division, Hoover State Office Building, 1305 East Walnut Street, Des Moines, IA 50319, www.iowaattorneygeneral.govTelephone: 515-281-5164
Maryland Residents: You may obtain information about avoiding identity theft from the Maryland Attorney General’s Office: Office of the Attorney General of Maryland, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, https://www.marylandattorneygeneral.gov/Telephone: 888-743-0023
Massachusetts Residents: Under Massachusetts law, you have the right to obtain a police report in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.
New York Residents: You may obtain information about preventing identity theft from the New York Attorney General’s Office: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; https://ag.ny.gov/consumer-frauds-bureau/identity-theftTelephone: 800-771-7755
North Carolina Residents: You may obtain information about preventing identity theft from the North Carolina Attorney General’s Office: Office of the Attorney General of North Carolina, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov/Telephone: 877-566-7226 (Toll-free within North Carolina), 919-716-6000
Oregon Residents: You may obtain information about preventing identity theft from the Oregon Attorney General’s Office: Oregon Department of Justice, 1162 Court Street NE, Salem, OR 97301-4096, www.doj.state.or.us/Telephone: 877-877-9392
Washington D.C. Residents: You may obtain information about preventing identity theft from the Office of the Attorney General for the District of Columbia, 400 6th Street NW, Washington D.C. 20001, https://oag.dc.gov/consumer-protectionTelephone: 202-442-9828
New Mexico Residents: You have rights under the federal Fair Credit Reporting Act (FCRA). These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information.
For more information about the FCRA, please visit,www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf or FCRAwww.ftc.gov
In Addition, New Mexico Consumers Have the Right to Obtain a Security Freeze or Submit a Declaration of Removal.
As noted above, you may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may submit a declaration of removal to remove information placed in your credit report as a result of being a victim to identity theft. You have a right to place a security freeze on your credit report or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act.
The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, you will be provided with a personal identification number, password, or similar device if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report to a specific party or parties or for a specified period of time after the freeze is in place. To remove the freeze or to provide authorization for the temporary release of your credit report, you must contact the consumer reporting agency and provide all of the following:
1. The unique personal identification number, password, or similar device provided by the consumer reporting agency.
2. Proper identification to verify your identity; and
3. Information regarding the third party or parties who are to receive the credit report or the period of time for which the credit report may be released to users of the credit report.
A consumer reporting agency that receives a request from a consumer to lift temporarily a freeze on a credit report shall comply with the request no later than three business days after receiving the request. As of September 1, 2008, a consumer reporting agency shall comply with the request within fifteen minutes of receiving the request by a secure electronic method or by telephone.
A security freeze does not apply in all circumstances, such as where you have an existing account relationship and a copy of your credit report is requested by your existing creditor or its agents for certain types of account review, collection, fraud control, or similar activities; for use in setting or adjusting an insurance rate or claim or insurance underwriting; for certain governmental purposes; and for purposes of prescreening as defined in the federal Fair Credit Reporting Act.
If you are actively seeking a new credit, loan, utility, telephone, or insurance account, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze, either completely if you are shopping around or specifically for a certain creditor, with enough advance notice before you apply for new credit for the lifting to take effect. You should contact a consumer reporting agency and request it to lift the freeze at least three business days before applying. As of September 1, 2008, if you contact a consumer reporting agency by a secure electronic method or by telephone, the consumer reporting agency should lift the freeze within fifteen minutes. You have a right to bring a civil action against a consumer reporting agency that violates your rights under the Fair Credit Reporting and Identity Security Act.
To place a security freeze on your credit report, you must send a request to each of the three major consumer reporting agencies: Equifax, Experian, and TransUnion. You may contact these agencies using the contact information provided above.
Rhode Island Residents: You may contact law enforcement, such as the Rhode Island Attorney General’s Office, to report incidents of identity theft or to learn about steps you can take to protect yourself from identity theft. You can contact the Rhode Island Attorney General at: Rhode Island Office of the Attorney General, 150 South Main Street, Providence, RI 02903, www.riag.ri.gov401-274-4400.
As noted above, you may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a “security freeze” on your credit report pursuant to chapter 48 of title 6 of the Identity Theft Prevention Act of 2006.
The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, within five (5) business days you will be provided a personal identification number or password to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report for a specific period of time after the freeze is in place. To provide that authorization, you must contact the consumer reporting agency and provide all of the following:
A consumer reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report shall comply with the request no later than three (3) business days after receiving the request.
A security freeze does not apply to circumstances where you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of an account review, collection, fraud control, or similar activities.
If you are actively seeking a new credit, loan, utility, telephone, or insurance account, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze -- either completely, if you are shopping around, or specifically for a certain creditor -- with enough advance notice before you apply for new credit for the lifting to take effect.
You have a right to bring a civil action against someone who violates your rights under the credit reporting laws. The action can be brought against a consumer reporting agency or a user of your credit report.
To place a security freeze on your credit report, you must send a request to each of the three major consumer reporting agencies: Equifax, Experian, and TransUnion. These agencies can be contacted using the contact information provided above.
In order to request a security freeze, you may need to provide the following information:
There were 2 Rhode Island residents impacted by this incident.
