Skip to main content

Notice of Data Privacy Event

For information directly related to the incident, please visit: peaktpa.com/data-notice/

Harbor Health Services, Inc. has recently become aware of a data privacy event affecting the security of the personal information of a limited number of our Elder Service Plan (PACE) participants.

We take this incident very seriously and the confidentiality, privacy, and security of the information provided to us is one of our highest priorities.

For information directly related to the incident, please visit: peaktpa.com/data-notice/

What Happened?

On February 9, 2021, we were contacted by a vendor of ours, PeakTPA. PeakTPA is owned and operated by Tabula Rasa HealthCare and conducts administrative services for claims payment for us.

PeakTPA informed us that some of our participant data was breached by a ransomware attack on their systems around December 31, 2020. The attack took place on two of PeakTPA’s cloud servers.

The types of information that were potentially accessible include a participant’s name, address, Peak unique identifier, social security number, service/treatment information, date of birth, diagnoses, picture, claim information, or date of death. Privacy is extremely important to us and we wanted to make anyone potential affected is aware of this incident.

How Do I Know If I Am Affected?

Written notification by mail is being provided directly to anyone affected by this incident. In addition, PeakTPA has set up a toll-free number to answer your questions.

Call the below number between the hours of 8 a.m. and 5:30 p.m. central time at:

1-855-761-0196

How Are We Responding?

The security of our patients’ information is extremely important to us. We apologize for any inconvenience this incident may cause.

PeakTPA has investigated the incident and ensured there is no further known threat to information on their servers. Steps have also been taken to directly notify every affected individual as quickly as possible to ensure individuals may best protect themselves.

We want you to feel confident that your data is secure.

In response to this incident, PeakTPA has retained a company named Kroll to provide identity monitoring to affected individuals at no cost for 3 years.  These services include Credit Monitoring, Fraud Consultation, and Identity Theft Restoration. Kroll’s team has a track record of helping people who have faced such an event.

For your information, on January 27, 2021, the criminal group behind the attack, Netwalker, was broken up by the FBI.

Its leader was arrested, and its records and data were seized. Still, PeakTPA has assured us it has instituted additional protections to prevent such a breach from taking place again, such as strengthening threat protection and upgrading the enterprise security systems.

What Can I Do in Response to this Incident?

We encourage you to remain vigilant against incidents of identity theft and fraud.

As a best practice, if you receive a notice from us that your information was affected, you should review your financial account statements, credit reports and explanation of benefits forms for suspicious activity.  If you see any unauthorized charges, promptly contact the bank or credit card company.  We also recommend reviewing your credit report for inquiries from companies that you have not contacted, accounts you did not open and debts on our accounts that you cannot explain.

Under U.S. law you are entitled to one free credit report annually from each of the three major credit reporting bureaus.  To order your free credit report, visit annualcreditreport.com or call toll-free 1-877-322-8228.  You may also contact the three major credit bureaus directly to request a free copy of your credit report.

You may also place a security freeze on your credit reports, free of charge. A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing or other services.

Under federal law, you cannot be charged to place, lift, or remove a security freeze.

You must place your request for a freeze with each of the three major consumer reporting agencies: Equifax (equifax.com); Experian (www.experian.com); and TransUnion (www.transunion.com). To place a security freeze on your credit report, you may send a written request by regular, certified or overnight mail at the addresses below.

You may also place a security freeze through each of the consumer reporting agencies’ websites or over the phone, using the contact information below:

Equifax Security Freeze
P.O. Box 105788 Atlanta, GA 30348
1-800-349-9960
Equifax.com/personal/credit-report-services/

Experian Security Freeze
P.O. Box 9554 Allen, TX 75013
1-888-397-3742
Experian.com/freeze/center.html

TransUnion Security Freeze
P.O. Box 160 Woodlyn, PA 19094
1-888-909-8872
Transunion.com/credit-freeze

In order to request a security freeze, you will need to provide some or all of the following information to the credit reporting agency, depending on whether you do so online, by phone, or by mail:

  • Your full name (including middle initial as well as Jr., Sr., II, III, etc.)
  • Social Security Number
  • Date of birth
  • If you have moved in the past five (5) years, the addresses where you have lived over the prior five years
  • Proof of current address, such as a current utility bill, telephone bill, rental agreement, or deed
  • A legible photocopy of a government issued identification card (state driver’s license or ID card, military identification, etc.)
  • Social Security Card, pay stub, or W2
  • If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft

The credit reporting agencies have one (1) to three (3) business days after receiving your request to place a security freeze on your credit report, based upon the method of your request. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number (PIN) or password (or both) that can be used by you to authorize the removal or lifting of the security freeze. It is important to maintain this PIN/password in a secure place, as you will need it to lift or remove the security freeze.

To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must make a request to each of the credit reporting agencies by mail, through their website, or by phone (using the contact information above). You must provide proper identification (including name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze, as well as the identities of those entities or individuals you would like to receive your credit report.

You may also temporarily lift a security freeze for a specified period of time rather than for a specific entity or individual, using the same contact information above. The credit bureaus have between one (1) hour (for requests made online) and three (3) business days (for request made by mail) after receiving your request to lift the security freeze for those identified entities or for the specified period of time.

To remove the security freeze, you must make a request to each of the credit reporting agencies by mail, through their website, or by phone (using the contact information above). You must provide proper identification (name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have between one (1) hour (for requests made online) and three (3) business days (for requests made by mail) after receiving your request to remove the security freeze.

As an alternative to a security freeze, you have the right to place an initial or extended “fraud alert” on your file at no cost.  An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file.  Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit.  If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years.  Should you wish to place a fraud alert, please contact any one of the agencies listed above.

Under Massachusetts law, you have the right to obtain any police report filed in regard to this incident.  If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.

You can also further educate yourself regarding identity theft, fraud alerts, security freezes, and the steps you can take to protect yourself, by contacting the consumer reporting agencies, your state Attorney General, or the Federal Trade Commission (FTC).  The FTC can be reached at:

600 Pennsylvania Avenue NW, Washington, DC 20580
identitytheft.gov
1-877-ID-THEFT (877-438-4338)
TTY: 866-653-4261

The FTC also encourages those who discover that their information has been misused to file a complaint with them.  You can also obtain further information on how to file such a complaint by way of the contact information listed above.

Instances of known or suspected identity theft should also be reported to law enforcement and your state Attorney General.

Where Can I Receive More Information?

We understand that you may have questions about this incident that are not addressed in this notice. For more information regarding the event, please contact 1-855-761-0196 between the hours of 8 a.m. and 5:30 p.m. Central Time.

If you would like to speak with Harbor Health directly, we are available at:

Phone: 617-533-2400

TTY: 617-533-2404

You can also access peaktpa.com/data-notice/ for more information specifically related to this incident.

We care for your privacy, and we are deeply sorry for the inconvenience this may cause.

Harbor Health is committed to providing quality comprehensive care and this includes protecting your information.  We thank you for your understanding and your trust in us.