Notice of Data Incident
September 27, 2024 – Cumberland Heights Foundation, Inc. (“Cumberland Heights”) is providing this update regarding the recently experienced data security incident. Please note that to date Cumberland Heights has not received any reports of related misuse of personal or health information, since the date of the Incident.
What Happened?
On February 21, 2024, Cumberland Heights became aware of unauthorized activity within its e-mail environment (the “Incident”). Upon discovery of the Incident, Cumberland Heights engaged a specialized cybersecurity incident response vendor to secure its e-mail environment and conduct a forensic investigation to determine the source and scope of the unauthorized activity. On March 27, 2024, Cumberland Heights concluded its investigation and confirmed unauthorized activity within one (1) Cumberland Heights employee e-mail user account.
Based on the findings of the forensic investigation, Cumberland Heights engaged a third-party data mining firm to conduct a review of the information maintained within the accessed account and identify those individuals whose personal information may have been impacted by the Incident. Cumberland Heights completed its review of the accessed data on June 20, 2024, and a first wave of notification letters was mailed on August 5, 2024. Since completing the first wave of notice, Cumberland Heights has worked to identify and locate additional individuals whose information may have been impacted for purposes of providing notice and complimentary credit monitoring services to the affected individuals. Cumberland finished identifying and locating the remaining affected individuals on September 7, 2024, and a second wave of notice letters were mailed on September 26, 2024.
Please note that to date there has been no evidence to indicate that any individuals’ personal information has been misused as a result of the Incident.
What Information Was Involved?
Based upon the review of the accessed e-mail account, Cumberland Heights determined that the following types of personal information may have been impacted: names, addresses, dates of birth, drivers’ license numbers, positive lab results, sensitive content, and Social Security numbers.
What We Are Doing?
Data privacy and security are among Cumberland Heights’s highest priorities, and there are extensive measures in place to protect information in its care. Since the discovery of the Incident, Cumberland Heights has moved quickly to investigate, respond, and confirm the security of its systems by immediately conducting a forced password reset of its e-mail environment and engaging a specialized incident response vendor to secure its environment and conduct a forensic investigation as to the root cause of the Incident. In addition, Cumberland Heights implemented security enhancement measures to prevent a similar incident from occurring in the future, such as updating systemwide password policy, updating tenant settings in Office365 that increases restrictions on user rights, updating its tenant antivirus security baseline for device and user compliance, and adopting systemwide endpoint detection and response tools.
What You Can Do:
Again, at this time, we have not received any reports of related misuse of personal information since the date of the Incident. As a precautionary measure, however, you can review the below Additional Resources to Help Protect Your Information to learn more about how to protect against the possibility of information misuse.
Other Important Information:
Cumberland Heights sincerely regrets any concern that this matter may cause, and remains dedicated to ensuring the privacy and security of all information within its control. Should you have any questions about this incident, please do not hesitate to call 1-833-543-2516, Monday – Friday, 8:00am to 8:00pm Eastern Standard Time (excluding U.S. national holidays).
Sincerely,
Cumberland Heights Foundation, Inc.
Additional Resources to Help Protect Your Information
We recommend that you remain vigilant for incidents of fraud or identity theft by regularly reviewing your credit reports and financial accounts for any suspicious activity. You should contact the reporting agency using the phone number on the credit report if you find any inaccuracies with your information or if you do not recognize any of the account activity.
You may obtain a free copy of your credit report by visiting www.annualcreditreport.com, calling toll-free at 1-877-322-8228, or by mailing a completed Annual Credit Report Request Form (available at www.annualcreditreport.com) to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281. You may also purchase a copy of your credit report for a fee by contacting one or more of the three national credit reporting agencies.
You have rights under the federal Fair Credit Reporting Act (FCRA). The FCRA governs the collection and use of information about you that is reported by consumer reporting agencies. You can obtain additional information about your rights under the FCRA by visiting https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act.
You have the right to add, temporarily lift and remove a credit freeze, also known as a security freeze, on your credit report at no cost. A credit freeze prevents all third parties, such as credit lenders or other companies, whose use is not exempt under law, from accessing your credit file without your consent. If you have a freeze, you must remove or temporarily lift it to apply for credit. Spouses can request freezes for each other as long as they pass authentication. You can also request a freeze for someone if you have a valid Power of Attorney. If you are a parent/guardian/representative you can request a freeze for a minor 15 and younger. To add a security freeze on your credit report you must make a separate request to each of the three national consumer reporting agencies by phone, online, or by mail by following the instructions found at their websites (see “Contact Information” below). The following information must be included when requesting a security freeze: (i) full name, with middle initial and any suffixes; (ii) Social Security number; (iii) date of birth (month, day, and year); (iv) current address and any previous addresses for the past five (5) years; (v) proof of current address (such as a copy of a government-issued identification card, a recent utility or telephone bill, or bank or insurance statement); and (vi) other personal information as required by the applicable credit reporting agency.
You have the right to add, extend, or remove a fraud alert on your credit file at no cost. A fraud alert is a statement that is added to your credit file that will notify potential credit grantors that you may be or have been a victim of identity theft. Before they extend credit, they should use reasonable procedures to verify your identity. Please note that, unlike a credit freeze, a fraud alert only notifies lenders to verify your identity before extending new credit, but it does not block access to your credit report. Fraud alerts are free to add and are valid for one year. Victims of identity theft can obtain an extended fraud alert for seven years. You can add a fraud alert by sending your request to any one of the three national reporting agencies by phone, online, or by mail by following the instructions found at their websites (see “Contact Information” below). The agency you contact will then contact the other credit agencies.
Below is the contact information for the three national credit reporting agencies (Experian, Equifax, and TranUnion) if you would like to add a fraud alert or credit freeze to your credit report.
| Credit Reporting Agency | Access Your
Credit Report |
Add a Fraud Alert | Add a Security Freeze |
| Experian | P.O. Box 2002
Allen, TX 75013-9701 1-866-200-6020 |
P.O. Box 9554
Allen, TX 75013-9554 1-888-397-3742 |
P.O. Box 9554
Allen, TX 75013-9554 1-888-397-3742 |
| Equifax | P.O. Box 740241
Atlanta, GA 30374-0241 1-866-349-5191 |
P.O. Box 105069
Atlanta, GA 30348-5069 1-800-525-6285 www.equifax.com/personal/credit-report-services/credit-fraud-alerts |
P.O. Box 105788
Atlanta, GA 30348-5788 1-888-298-0045 www.equifax.com/personal/credit–report-services
|
| TransUnion | P.O. Box 1000
Chester, PA 19016-1000 1-800-888-4213 |
P.O. Box 2000
Chester, PA 19016 1-800-680-7289 |
P.O. Box 160
Woodlyn, PA 19094 1-800-916-8800 |
For more information about credit freezes and fraud alerts and other steps you can take to protect yourself against identity theft, you can contact the Federal Trade Commission (FTC) at 600 Pennsylvania Avenue NW, Washington, DC 20580, www.identitytheft.gov, 1-877-ID-THEFT (1-877-438-4338), TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above.
You should also report instances of known or suspected identity theft to local law enforcement and the Attorney General’s office in your home state and you have the right to file a police report and obtain a copy of your police report.
