December 9, 2024
Notice of Data Security Incident
Hartson-Kennedy Inc. is committed to protecting the privacy of impacted individuals’ information. We take privacy very seriously, and it is important to us that impacted individuals are made fully aware of a privacy issue involving their information.
What happened?
Hartson-Kennedy, on our own behalf and on behalf of the Hartson-Kennedy Inc. Group Benefit Plan, are providing notice to individuals who may be impacted by a security incident. On October 9, 2024, Hartson-Kennedy was alerted to a dark web posting by an attacker claiming to have accessed and removed data from our IT systems. We immediately began our investigation with the help of legal and computer forensics teams. We learned the attackers accessed our systems starting on June 24, 2024, through a compromised user account. As a result, the attacker was able to gain access to parts of our network and view and take certain files relating to our employees, their dependents, and our health plan, among other types of information.
Impacted individuals include both current and former Hartson-Kennedy employees, and their spouses and dependents, enrolled in the Hartson-Kennedy Inc. Group Benefit Plan since 2017.
While we have no evidence that any of the personal information has been misused for identity theft or fraud at this time, we are exercising an abundance of caution to help protect impacted individuals’ personal information and financial security, and alleviate any concerns impacted individuals may have.
What information was involved?
The information that may have been viewed or taken includes information such as names, addresses, dates of birth, phone numbers, and emails, plus one or more of the following:
- Health insurance data, such as health plan enrollment and account information;
- Health data, such as diagnosis information and codes;
- Health billing and payment data, such as claim numbers, account numbers, billing codes, payment amounts, and balance information;
- Other personal data such as Social Security number, driver’s license or state or other ID number, and financial account information.
The data that may have been seen or taken may differ from person to person.
What is Hartson-Kennedy doing to address this situation?
We have fully investigated this incident with our forensic service provider and legal team, and have made immediate enhancements to our systems, security, and practices. Additionally, we have engaged appropriate experts to assist us in conducting a full review of our security practices and systems to ensure that enhanced security protocols are in place going forward so an incident like this does not happen again. In particular, we are improving our systems and processes for records relating to employees and our health plan. We are also enhancing our employee training to increase awareness and prevent future security incidents.
We are committed to helping those who may have been impacted by this situation, and are providing impacted individuals with access to Single Bureau Credit Monitoring services at no charge. These services provide impacted individuals with alerts for 24 months from the date of enrollment. We are also providing impacted individuals with proactive fraud assistance to help with any questions they may have or in the event they become victims of fraud.
What can individuals do to protect themselves?
Please see the section entitled “Other Steps You Can Take to Protect Yourself” below for additional resources individuals can use to protect themselves.
What if individuals want to talk to someone about this incident?
Representatives are available for 90 days from the date of this letter, to assist impacted individuals with questions regarding this incident, between the hours of 8:00 am to 8:00 pm Eastern Time, Monday through Friday, excluding holidays. If an individual believes they may have been impacted by this incident, but have not received a letter, they can call the help line at 866-622-9303.
While representatives should be able to provide thorough assistance and answer most questions, individuals may still feel the need to speak with Hartson-Kennedy regarding this incident. If so, please call us at 765-668-8144 Ext. 126 from 9:00 am to 5:00 pm Eastern Time, Monday through Friday.
We take our responsibilities to protect personal information very seriously. We apologize for any inconvenience resulting from this incident.
Other Steps You Can Take to Protect Yourself
Review Your Credit Reports. We recommend that you remain vigilant by reviewing account statements and monitoring credit reports. Under federal law, you also are entitled every 12 months to one free copy of your credit report from each of the three major credit reporting companies. To obtain a free annual credit report, go to www.annualcreditreport.com or call 1-877-322-8228. Hearing impaired consumers can access their TDD service at 1-877-730-4204. You may wish to stagger your requests so that you receive a free report by one of the three credit bureaus every four months.
Upon receipt of your credit report, we recommend that you review it carefully for any suspicious activity. Be sure to promptly report any suspicious activity by calling the help line number included above and providing your unique code listed in this letter.
Police Report. You also have the right to file a police report if you ever experience identity fraud. Please note that in order to file a crime report or incident report with law enforcement for identity theft, you will likely need to provide evidence that you have been a victim. A police report is often required to dispute fraudulent items. You can report suspected incidents of identity theft to local law enforcement or to the Attorney General.
Fraud Alerts. You can also place fraud alerts with the three credit bureaus. If you choose to place a fraud alert, we recommend you do this after activating your credit monitoring. You can place a fraud alert at one of the three major credit bureaus by phone and also via Experian’s or Equifax’s website. A fraud alert tells creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit. The contact information for all three bureaus is as follows:
Experian (1-888-397-3742) Equifax (1-800-525-6285) TransUnion (1-800-680-7289)
P.O. Box 4500 P.O. Box 740241 P.O. Box 2000
Allen, TX 75013 Atlanta, GA 30374 Chester, PA 19016
www.experian.com www.equifax.com www.transunion.com
No one can place a fraud alert on your credit report except you.
Credit Freeze. By placing a security freeze, someone who fraudulently acquires your personal identifying information will not be able to use that information to open new accounts or borrow money in your name. You will need to contact the three national credit reporting bureaus listed above to place the freeze. Keep in mind that when you place the freeze, you will not be able to borrow money, obtain instant credit, or get a new credit card until you temporarily lift or permanently remove the freeze. There is no cost to freeze or unfreeze your credit files.
Additional Information. You can obtain additional information about how to avoid identity theft from the following agencies. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can contact the FTC at https://consumer.ftc.gov; 1-877-IDTHEFT (438-4338); TTY 1-866-653-4261; or Attn: Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
Kentucky Residents: Office of the Attorney General of Kentucky, 700 Capitol Avenue, Suite 118 Frankfort, Kentucky 40601, www.ag.ky.gov, Telephone: 1-502-696-5300.
North Carolina Residents: Office of the Attorney General of North Carolina, 9001 Mail Service Center Raleigh, NC 27699-9001, www.ncdoj.gov, Telephone: 1-919-716-6400.