Notice of Data Security Incident
PeakTPA recently experienced a ransomware incident which affected data of several current and former PeakTPA clients. PeakTPA offers healthcare management services to health plans, Managed Care Advantage and Programs of All-Inclusive Care for the Elderly. On December 31, 2021 PeakTPA experienced a ransomware incident impacting two of PeakTPA's cloud servers.
On February 10, 2021, PeakTPA notified Siouxland PACE ("PACE"), of the ransomware incident and that PACE participant data may have been involved. Upon learning of the issue, PACE commenced a prompt and thorough investigation to identify all participants involved. As part of its investigation, in addition to obtaining detailed information from PeakTPA about the nature and scope of the incident, PACE engaged cybersecurity professionals experienced in handling these types of incidents. PACE confirmed that PeakTPA thoroughly investigated the situation, contacted federal law enforcement, and contracted with specialized third-party agencies, which determined that certain participant information had been revealed. PeakTPA's agent successfully negotiated with the attacker and was provided evidence by video that the seized data was deleted. Furthermore, since the attack, the criminal group behind it was disrupted by U.S. federal authorities.
We regret to share that PeakTPA's forensic investigation concluded that PACE participant information was involved in the incident. The information accessed by the attack included participant names, dates of birth, addresses, social security numbers, and diagnosis and treatment information.
According to PeakTPA, there is no evidence that any data has been misused, disseminated, or otherwise made publicly available. On April 7, 2021, PeakTPA provided the affected PACE participants with written notification of this incident and providing the affected PACE participants with credit monitoring, fraud consultation, and identity theft restoration at no cost for up to three years. PeakTPA is also advising the affected participants on other actions to protect their personal information, including reviewing their financial account statements and explanation of benefits statements for fraudulent or irregular activity on a regular basis, placing a fraud alert and/or security freeze on their credit files, and/or obtaining a free credit report.
PeakTPA has assured PACE that they are enhancing their security controls and conducting ongoing efforts against incidents like this in the future. PACE remains fully committed to maintaining the privacy of personal information in its possession and has taken many precautions to safeguard it, including continually evaluating and modifying its practices, and those of its third-party service providers, to enhance data security.
For more information about this data security event, PeakTPA released a public statement regarding the incident, available at https://peaktpa.com/data-notice/.
If you have questions, please contact Kroll at (855) 761-0196 Monday through Friday, 8:00 a.m. to 5:30 p.m. Central Time, excluding major U.S. holidays.