Notice of Data Breach
Lutheran Social Services of Illinois Notifies Clients of Data Breach
Lutheran Social Services of Illinois Notifies Clients of Data Breach
Lutheran Social Services of Illinois (“LSSI”), an organization providing critical programs to Illinois residents including foster care, mental health services, alcohol and drug treatment, affordable senior housing, and residential programs for people with developmental disabilities, is notifying certain individuals whose data may have been affected by a recent data security incident.
On January 27, 2022, LSSI became aware of a cybersecurity incident resulting in some system outages and disruption to parts of its operations. When discovered, LSSI quickly took steps to secure and safely restore its systems and operations. Further, LSSI immediately engaged third-party forensic specialists to conduct a thorough investigation of the incident's nature and scope and assist in the remediation efforts. The investigation determined that the incident involved an unauthorized individual accessing certain data we maintain. LSSI has confirmed the deletion of the acquired information to the best of its ability and knowledge. LSSI also contacted law enforcement to inform them of the incident and seek guidance.
Based on a comprehensive review, LSSI discovered that certain personal and protected health information was included in the incident. However, as of now, we have no evidence indicating identity theft involving any of the information.
The types of protected health information potentially involved (only if this information was provided to LSSI) include contact and demographic information (i.e., first and last name, gender, home address, phone number, email address, date of birth), Social Security Number; clinical information (i.e., medical history/diagnosis/treatment, dates of service, lab test results, prescription information, provider name, medical account number, or anything similar in a medical file and/or record); and financial information (i.e., payment or bank account information, health insurance policy and group plan number, group plan provider, claim information).
In response to this incident, LSSI has secured its network and is working with external cybersecurity partners to further enhance its cybersecurity infrastructure. Specifically, we are incorporating additional 24/7 threat monitoring and detection on all servers and endpoints, performing a thorough security evaluation of all of our endpoints, and confirming the environment is clean. We are monitoring the dark web for any information posted from the organization and are actively assessing any new administrative and technical safeguards to implement to better minimize the chance of this type of event occurring again.
As good practice, LSSI recommends that individuals remain vigilant by closely reviewing their account statements and credit reports as a precautionary measure. If individuals detect any suspicious activity on an account, LSSI strongly advises that they promptly notify the financial institution or company that maintains the account. Further, individuals should promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, including their state attorney general and the Federal Trade Commission (FTC).
Further, LSSI is offering complimentary credit monitoring and identity protection services to individuals impacted or involved in the incident. Individuals interested in signing up for the complimentary credit monitoring must do so within 90 days of receiving their notification letter from LSSI. Individuals who believe they may have been impacted by this incident and wish to take advantage of these services, can contact the dedicated toll-free helpline (as stated below), and for more guidance regarding protecting against identity theft, review “other important information,” located below.
To assist with questions regarding this incident, LSSI set up a dedicated call center at 1-844-520-0866. Individuals with questions may call the call center from 8:00 am to 8:00 pm Eastern time, Monday through Friday (except holidays) within 90 days of this notice.
OTHER IMPORTANT INFORMATION
Obtain and Monitor Your Credit Report. We recommend that you obtain a free copy of your credit report from each of the three nationwide credit reporting agencies once every 12 months by visiting http://www.annualcreditreport.com, calling toll-free 877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You can access the request form at https://www.annualcreditreport.com/requestReport/requestForm.action. Alternatively, you can elect to purchase a copy of your credit report by contacting one of the three national credit reporting agencies. The three nationwide credit reporting agencies' contact information are provided below to request a copy of your credit report or general identified above inquiries.
P.O. Box 740256
Atlanta, GA 30348
P.O. Box 2104
Allen, TX 75013
P.O. Box 1000
Chester, PA 19016
Security Freeze (also known as a Credit Freeze). Following is general information about how to request a security freeze from the three credit reporting agencies. While we believe this information is accurate, you should contact each agency for the most accurate and up-to-date information. A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit, mortgages, employment, housing, or other services. In addition, in some states, the agency cannot charge you to place, lift or remove a security freeze. There might be additional information required, and as such, to find out more information, please contact the three nationwide credit reporting agencies (contact information provided above).
Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
Experian Security Freeze
P.O. Box 9554
Allen, TX 75013
TransUnion Security Freeze &
Fraud Victim Assistance Dept.
P.O. Box 1000
Chester, PA 19016
Consider Placing a Fraud Alert on Your Credit Report. You may want to consider placing a fraud alert on your credit report. An initial fraud alert is free and will stay on your credit file for at least twelve months. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you before establishing any accounts in your name. To place a fraud alert on your credit report, contact any of the three nationwide credit reporting agencies identified above. Additional information is available at https://www.equifax.com/personal/credit-report-services/credit-fraud-alerts/
Remain Vigilant, Review Your Account Statements and Notify Law Enforcement of Suspicious Activity. As a precautionary measure, we recommend that you remain vigilant by closely reviewing your account statements and credit reports. If you detect any suspicious activity on an account, we strongly advise that you promptly notify the financial institution or company that maintains the account. Further, you should promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, including your state attorney general and the Federal Trade Commission (FTC). To file a complaint or to contact the FTC, you can (1) send a letter to the Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue NW, Washington, DC 20580; (2) go to IdentityTheft.gov/databreach; or (3) call 1-877-ID-THEFT (877-438-4338). Complaints filed with the FTC will be added to the FTC's Identity Theft Data Clearinghouse, a database made available to law enforcement agencies.
Take Advantage of Additional Free Resources on Identity Theft. We recommend that you review the tips provided by the Federal Trade Commission's Consumer Information website, a valuable resource with some helpful tips on how to protect your information. Additional information is available at https://www.consumer.ftc.gov/topics/privacy-identity-online-security. For more information, please visit IdentityTheft.gov or call 1-877-ID-THEFT (877-438-4338). In addition, a copy of Identity Theft – A Recovery Plan, a comprehensive guide from the FTC to help you guard against and deal with identity theft, can be found on the FTC's website at https://www.consumer.ftc.gov/articles/pdf 0009_identitytheft_a_recovery_plan.pdf.
District of Columbia residents: You can obtain information from the FTC and the Office of the Attorney General for the District of Columbia about steps to take to avoid identity theft. You can contact the D.C. Attorney General at: 441 4th Street, NW, Washington, DC 200001, 202-727-3400, www.oag.dc.gov. Iowa residents may also wish to contact the Office of the Attorney general on how to avoid identity theft by calling 515-281-5164 or by mailing a letter to the Attorney General at: Office of the Attorney General of Iowa, Hoover State Office Building, 1305 E. Walnut Street, Des Moines, IA 50319. Maryland residents may wish to review the information the Attorney General, who can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202, 1-888-743-0023, or visiting www.oag.state.md.us. Massachusetts residents: State law advises you that you have the right to obtain a police report. Further, you have the right to obtain a security freeze on your credit report free of charge. A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. To request a security freeze be placed on your credit report, please be prepared to provide any or all of the following: your full name, social security number, address(es), date of birth, a copy of a government issued identification card, a copy of a utility bill, bank or insurance information, or anything else the credit reporting agency needs to place the security freeze. Further information regarding credit freezes, including the contact information for the credit reporting agencies, may be found above in section titled “Security Freeze (also known as a Credit Freeze).” New Hampshire residents have the right to ask that the three nationwide credit reporting agencies place fraud alerts in their file (as described above) and or request a security freeze (as described above). To place or fraud alert on your file or request the security freeze, please contact three credit reporting agencies identified above. New Mexico residents, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit. New York residents: You may also contact the following state agencies for information regarding security breach response and identity theft prevention and protection information: New York Attorney General’s Office Bureau of Internet and Technology, (212) 416-8433, https://ag.ny.gov/internet/resource-center and or NYS Department of State's Division of Consumer Protection, (800) 697-1220, https://www.dos.ny.gov/consumerprotection. North Carolina residents may wish to review the information provided by the North Carolina Attorney General at www.ncdoj.gov, or by contacting the Attorney General by calling 877-5-NO-SCAM (Toll-free within North Carolina) or by mailing a letter to the Attorney General at North Carolina Attorney General's Office, Consumer Protection Division, 9001 Mail Service Center Raleigh, NC 27699. Oregon residents: State laws advise you to report any suspected identity theft to law enforcement, as well as the Federal Trade Commission. You can contact the Oregon Attorney General at: Oregon Department of Justice, 1162 Court Street NE, Salem, OR 97301-4096, (877) 877- 9392, www.doj.state.or.us. Rhode Island residents have the right to obtain a police report (if one was filed. Alternatively, you can file a police report). Further, you can obtain information from the Rhode Island Office of the Attorney General about steps you can take to help prevent identity theft. You can contact the Rhode Island Attorney General at: 150 South Main Street, Providence, RI 02903, (401) 274-4400, www.riag.ri.gov. As noted above, you have the right to place a security freeze on your credit report at no charge, but note that consumer reporting agencies may charge fees for other services. West Virginia residents have the right to ask that the three nationwide credit reporting agencies place fraud alerts in their file (as described above) and or request a security freeze (as described above). To place or fraud alert on your file or request the security freeze, please contact three credit reporting agencies identified above.