RE: Notice of Data
Security Event
On
January 11, 2021, 20/20 was alerted to suspicious activity in its cloud storage
environment and immediately secured the systems and investigated the activity. 20/20 promptly notified local law enforcement
and the FBI, and began working with third-party experts to determine
the full nature and scope of the incident. The investigation found that
certain data was deleted during the January 11 event, and that some information
was accessed or downloaded prior to deletion.
20/20 conducted a thorough investigation in an attempt to identify the information contained in the
affected cloud storage environment. Unfortunately, while additional details
were discovered, 20/20 was not able to conclusively determine what specific
information was actually accessed or removed from its
systems.
Potentially accessible information varies by
individual but may include name, Social Security number, date of birth, member
identification number and/or health insurance information. 20/20 reiterates
that although information for individuals being notified may not have actually
been accessed or acquired, it is providing notice to individuals by mail out of
an abundance of caution, and including an offer for
free credit monitoring together with identity theft assistance and insurance.
20/20 analyzed its member database to identify all
individuals whose information could have potentially been accessed or
downloaded during the incident, and worked closely
with a number of health plan partners during this extensive process to validate
relevant database records and obtain any missing information necessary for
notification. 20/20 also notified the U.S. Department of Health & Human
Services’ Office for Civil Rights and relevant state authorities.
Since learning of this incident, 20/20 has taken a number of steps to protect its systems and to help prevent
something similar occurring in the future. These include reporting the incident
to law enforcement and cooperating fully with their investigation, immediately
resetting all passwords, and beginning a robust review of existing policies and
procedures to improve security for the future.
20/20 encourages
potentially impacted individuals to remain vigilant against incidents of
identity theft and fraud, to review account statements, and to monitor their
credit reports and explanation of benefits forms for suspicious activity. If
potentially impacted individuals have questions, for more information please
contact our dedicated call center at (833)-580-2416, between 9 am to 6 pm
Eastern time. Additionally, 20/20 is providing potentially
impacted individuals with contact information for the three major credit
reporting agencies, as well as providing advice on how to obtain free credit
reports and how to place fraud alerts and security freezes on their credit
files. The relevant contact information is below:
Equifax P.O. Box 105069 Atlanta, GA 30348 1-888-766-0008 |
Experian P.O. Box 9554 Allen, TX 75013 1-888-397-3742 |
TransUnion P.O. Box 2000 Chester, PA 19016 1-800-680-7289 |
Potentially impacted
individuals may also find information regarding identity theft, fraud alerts,
security freezes and the steps they may take to protect their information by
contacting the credit bureaus, the Federal Trade Commission
or their state Attorney General. The Federal Trade Commission can be reached
at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY:
1-866-653-4261.
Instances of known or
suspected identity theft should also be reported to law enforcement or the
individual’s state Attorney General.