Health Management Systems of America is providing notice of a security incident involving the unauthorized access of single email account containing personal and protected health information. As the investigation remains ongoing, Health Management Systems of America reserves the right to update this page as needed.
 
What Happened?
 
On December 9, 2024, Health Management Systems of America (“HMSA”) became aware of unauthorized activity concerning a single email account as a result of a spear phishing campaign.
 
What Is HMSA Doing?
 
In response, HMSA retained an IT security firm to investigate the incident. We also notified the Department of Health and Human Services of the security incident. The investigation revealed that an unauthorized actor gained access to a single email account, and that certain emails within that account were acquired. In addition, we recently determined that some of the acquired emails contained personal and protected health information. We have been working with our legal and data review teams to determine the information involved and to whom it relates in order to provide legal notice to those individuals. Individuals whose information was involved will receive a notice letter in the mail.
 
What Can You Do Now?
 
To date, we are not aware of any reports of identity fraud or fraudulent activity involving your information as a result of this incident. However, it is always prudent for persons to remain vigilant against incidents of identity theft and fraud by reviewing your credit reports and account statements for suspicious activity and to detect errors. If you discover any suspicious or unusual activity in your accounts, please promptly contact the financial institution, health insurance provider, or company.
 
   
What types of data were affected?
 
The data review remains ongoing.
 
When will I know if my data was involved in the incident and how will I be notified?
 
HMSA will provide notice via U.S. mail to affected individuals’ last known address. To the extent that HMSA is unable to locate a current address for an affected individual, substitute notice will be provided on this webpage.
 
What can I do to protect my information?
 
As a general matter, one should remain vigilant by reviewing your credit reports, financial account statements, and explanation of benefits forms for suspicious activity and to detect errors. Some best security practices to safeguard your information may include:
 

• implementation of multifactor authentication on your online accounts;
• avoidance of reuse of the same password or old passwords across accounts;
• use of strong passwords with a at least 8 characters (e.g., combination numbers; capitalized and lowercase letters, and symbols);
• keep your devices and software up to date with the latest security patches; and
• stay alert and keep an eye out for email phishing tactics and stay vigilant against suspicious communications.

How do I get a copy of my credit report?
 
To order your free annual credit report, visit www.annualcreditreport.com, call toll-free at 877-322-8228, complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s (“FTC”) website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. The three credit bureaus provide free annual credit reports only through their website, toll-free number, or request form.
 
How do I place a fraud alert?
 
A fraud alert helps protect against the possibility of an identity thief opening new credit cards in your name. You can place a fraud alert on your credit report by calling any one of the three credit reporting agencies' toll-free fraud numbers. The contact information for the credit reporting agencies can be found at:
 

Equifax 800-525-6285

Experian 888-397-3742

TransUnion 800-525-6285

The contents of this page are subject to change, as the data review process remains ongoing. Health Management Systems of America reserves the right to update this page as needed