2022 Notification of Data Breach

Dow Rummel Village (“DRV”) is an assisted-living healthcare organization in South Dakota. DRV announced today that it experienced a data breach that may involve the personal and protected health information of some individuals it serves. As such, DRV sent notification of this incident to potentially impacted individuals and is providing resources to assist them.

On or about February 14, 2022, DRV became aware of a potential business email compromise involving several of their email accounts when it was reported that an employee had submitted their credentials to an incoming phishing email and that a similar phishing campaign had been launched from their account. Upon discovery of this incident, DRV immediately secured their accounts and promptly engaged a specialized third-party cybersecurity firm to conduct a comprehensive investigation to determine the nature and scope of the incident.

The forensic investigation concluded on March 21, 2022, which determined that six email accounts were compromised as a result of this incident. DRV then began an extensive internal investigation which included in engaging a third party data mining vendor to discover whether any patient information was impacted as a result of this compromise. Based on these findings, DRV performed a review of all files and email in the compromised email to identify the specific individuals and the types of information that may have been compromised.

DRV believes that the vast majority of impacted individual’s personal information was not obtained. However, DRV’s investigation could not confirm the specific information potentially obtained and or accessed. However, a lot of individuals only had name and date of birth impacted. Therefore, out of an abundance of caution, DRV is providing notification to all potentially impacted individuals, regardless of the information not being subject to unauthorized access and or acquisition. However, presently, DRV has no evidence indicating misuse of this information.

Further, after reviewing the potentially impacted information, DRV determined that it could include first and last names, addresses, dates of birth, telephone numbers, social security numbers, email addresses, health plan beneficiary numbers, health insurance information, full-face photos, and or comparable images, UCI numbers (unique identifying number or code generated by us for you), medical information, diagnosis, disability codes, and certificate/license numbers. No Social Security Numbers or financial account numbers were impacted.

The notification letter to the potentially impacted individuals includes steps that they can take to protect their information and offer them access to complimentary identity monitoring and protection services. DRV recommends that individuals enroll in the services provided and follow the recommendations contained within the notification letter to ensure their information is protected. Also, DRV reported the incident to certain regulatory authorities, as required.

South Dakota residents may wish to review the recommended privacy protection resources available from the South Dakota Attorney General, which can be found at: https://consumer.sd.gov/resources.aspx
Please see “other important information” below for additional resources and tips to prevent identity theft.

For individuals seeking more information or questions, please call DRV’s contact at (855) 532-1899. In addition, individuals seeking to contact DRV directly may write to 1321 W. Dow Rummel St. Sioux Falls SD 57104.

Other Important Information

Obtain and Monitor Credit Report. DRV recommends that individuals obtain a free copy of their credit report from each of the three nationwide credit reporting agencies once every 12 months by visiting http://www.annualcreditreport.com, calling toll-free 877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You can access the request form at https://www.annualcreditreport.com/requestReport/requestForm.action
Alternatively, individuals can elect to purchase a copy of your credit report by contacting one of the three national credit reporting agencies. The three nationwide credit reporting agencies’ contact information are provided below to request a copy of their credit report or general identified above inquiries.

Security Freeze (also known as a Credit Freeze). Following is general information about how to request a security freeze from the three credit reporting agencies. A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, please be aware that placing a security freeze on a credit report may delay, interfere with, or prevent the timely approval of any requests regarding for new loans, credit mortgages, employment, housing, or other services. In addition, in some states, the agency cannot charge individuals to place, lift or remove a security freeze. There might be additional information required, and as such, to find out more information, please contact the three nationwide credit reporting agencies (contact information provided above).

Consider Placing a Fraud Alert on Credit Reports. Individuals may want to consider placing a fraud alert on their credit report. An initial fraud alert is free and will stay on a credit file for at least twelve months. The alert informs creditors of possible fraudulent activity within a report and requests that the creditor contact individuals before establishing any accounts in an individual’s name. To place a fraud alert on a credit report, contact any of the three nationwide credit reporting agencies identified above. Additional information is available at https://www.equifax.com/personal/credit-report-services/credit-fraud-alerts/

Remain Vigilant, Review Account Statements and Notify Law Enforcement of Suspicious Activity. As a precautionary measure, DRV recommends that individuals remain vigilant by closely reviewing their account statements and credit reports. If an individual detects any suspicious activity on an account, DRV strongly advise that they promptly notify the financial institution or company that maintains the account. Further, individuals should promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, including their state attorney general and the Federal Trade Commission (FTC). To file a complaint or to contact the FTC, individuals can (1) send a letter to the Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue NW, Washington, DC 20580; (2) go to IdentityTheft.gov/databreach; or (3) call 1-877-ID-THEFT (877-438-4338). Complaints filed with the FTC will be added to the FTC’s Identity Theft Data Clearinghouse, a database made available to law enforcement agencies.

Certain rights under the Fair Credit Reporting Act (FCRA): These rights include knowing what is in an individuals file; disputing incomplete or inaccurate information; and requiring consumer reporting agencies to correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit https://www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf.

Take Advantage of Additional Free Resources on Identity Theft. DRV recommends that individuals review the tips provided by the Federal Trade Commission’s Consumer Information website, a valuable resource with some helpful tips on how to protect your information. Additional information is available at https://www.consumer.ftc.gov/topics/privacy-identity-online-security. For more information, please visit IdentityTheft.gov or call 1-877-ID-THEFT (877-438-4338). A copy of Identity Theft – A Recovery Plan, a comprehensive guide from the FTC to help you guard against and deal with identity theft, can be found on the FTC’s website at https://www.consumer.ftc.gov/articles/pdf 0009_identitytheft_a_recovery_plan.pdf.