Notice of Security Incident
 
Health Management Systems of America (“HMSA”) experienced a security incident that involved unauthorized activity concerning a single email account. Information security is a top priority, and despite our efforts, HMSA fell victim to a cybercrime. This notice serves to provide an update about the incident, our response, and steps we have taken to improve our security posture.
 
What Happened? On December 9, 2024, HMSA became aware of unauthorized activity concerning a single email account as a result of a spear phishing campaign.
 
What Is HMSA Doing? After learning about the incident, HMSA immediately shut down the threat, resecured the account, and retained an IT security firm to investigate the incident. The investigation revealed that there was an isolated incident where an unauthorized actor acquired contents of the email account. As part of our response efforts, HMSA commenced a detailed review of the email account to understand the data potentially involved and to whom the information belonged to. HMSA engaged a data mining team to assist with this process. As the review progressed, HMSA issued notification on a rolling basis. For individuals whose Social Security numbers were involved, HMSA provided direct notice and provided those individuals an opportunity to enroll in credit monitoring services.
 
What Information Was Involved? The information involved varied from person to person. However, the types of information involved included insurance claims information, employee assistance program information, authorization of services, demographic information, driver’s license, Social Security number, chart number, login account information, and/or financial account information. Importantly, we have no indication that this information has been the subject of any fraudulent activity.
 
What Can You Do Now? Generally, it is always prudent for individuals to remain vigilant against incidents of identity theft and fraud by reviewing your credit reports and account statements for suspicious activity and to detect errors. If you discover any suspicious or unusual activity in your accounts, please promptly contact the financial institution, health insurance provider, or company.
 
For More Information. For more information about Kroll and your credit and identity monitoring services, you can visit info.krollmonitoring.com. Should you have any questions or concerns, please contact our professional assistance line with Kroll’s call center at (866) 613-8940, Monday through Friday, 8:00 AM to 5:30 PM Central Time, excluding major U.S. holidays. We remain committed to protecting your trust in us and continue to be thankful for your support during this time.
 
Sincerely,
 
Health Management Systems of America
Enclosure: Steps You Can Take to Help Protect Your Information
 
STEPS YOU CAN TAKE TO HELP PROTECT YOUR INFORMATION
 
Monitor Your Accounts and Credit Reports: It is good practice to remain vigilant against incidents of identity theft and fraud by reviewing your credit reports/account statements and explanation of benefits forms for suspicious activity and to detect errors. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit reporting bureaus, TransUnion, Experian, and Equifax. To order your free credit report, visit www.annualcreditreport.com, call toll-free at 1-877-322-8228, complete the Annual Credit Report Request Form on the Federal Trade Commission’s (FTC) website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.  Once you receive your credit report, review it for discrepancies and identify any accounts you did not open or inquiries from creditors that you did not authorize. If you have questions or notice incorrect information, contact the credit reporting bureau.
 
Fraud Alert Services: You have the right to place an initial or extended “fraud alert” on a credit file at no cost.  An initial fraud alert is a one-year alert that is placed on a consumer’s credit file.  The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact any of the three credit reporting agencies identified above.
 
Credit Freeze Instructions: As an alternative to a fraud alert, you have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without your express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a credit freeze may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report.  To request a credit freeze, you should provide the following information:  
 

1. Full name (including middle initial as well as Jr., Sr., III, etc.);
2. Social Security number;
3. Date of birth;
4. Address for the prior two to five years;
5. Proof of current address, such as current utility or telephone bill;
6. A legible photocopy of a government-issued identification card (e.g., state driver’s license or identification card); and
7. A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft, if you are a victim of identity theft.

 
 
Should you wish to place a fraud alert or credit freeze, please contact the three major credit reporting bureaus listed below:
 

TransUnion 1-800-680-7289 www.transunion.com TransUnion Fraud Alert P.O. Box 2000 Chester, PA 19016-2000 TransUnion Credit Freeze P.O. Box 160 Woodlyn, PA 19094

Experian 1-888-397-3742 www.experian.com Experian Fraud Alert P.O. Box 9554 Allen, TX 75013 Experian Credit Freeze P.O. Box 9554 Allen, TX 75013

Equifax 1-888-298-0045 www.equifax.com Equifax Fraud Alert P.O. Box 105069 Atlanta, GA 30348-5069 Equifax Credit Freeze P.O. Box 105788 Atlanta, GA 30348-5788

Additional Information
 
This notice has not been delayed by law enforcement. If you experience identity theft or fraud, you have the right to file a police report with your local law enforcement agency. When filing a report, you may be required to provide documentation showing that you have been a victim, and you are entitled to obtain a copy of the report for your records. If you discover suspicious activity on your credit reports or otherwise believe your information is being misused, you should promptly contact local law enforcement to file a report.
 
Instances of known or suspected identity theft should also be reported to law enforcement, your state Attorney General, and the FTC.A complaint may be filed with the FTC online at www.ftc.gov/idtheft, by phone at 1-877-IDTHEFT (1-877-438-4338), or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Complaints submitted to the FTC are added to its Identity Theft Data Clearinghouse and made available to law enforcement for investigative purposes. The FTC also provides information about fraud alerts and security freezes.
 
For D.C. residents, the District of Columbia Attorney General may be contacted at 441 4^th Street NW #1100, Washington, D.C. 20001; 202-727-3400, or https://oag.dc.gov/consumer-protection.
 
For Maryland residents, the Maryland Attorney General may be contacted at Office of the Attorney General, 200 St. Paul Place, Baltimore, MD 21202; 1-888-743-0023; or www.marylandattorneygeneral.gov.
 
For New Mexico Residents, the New Mexico Attorney General may be contacted at the New Mexico Department of Justice, 408 Galisteo Street, Villagra Building, Santa Fe, NM 87501; (505) 490-4060; or https://nmdoj.gov/.
 
For North Carolina residents, the North Carolina Attorney General may be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; 1-877-566-7226 or 1-919-716-6000; or www.ncdoj.gov.
 
For Oregon residents, the Oregon Attorney General may be contacted at Justice Building, 1162 Court St. NE, Salem, OR 97301; 1-877-877-9392; or https://www.doj.state.or.us/.
 
For Rhode Island residents, the Rhode Island Attorney General may be contacted at 150 South Main Street, Providence, RI 02903; 1-401-274-4400; or www.riag.ri.gov.
 
Individuals also have rights under the federal Fair Credit Reporting Act (FCRA) and Identity Security Act, which governs the collection and use of information pertaining to you by consumer reporting agencies. These rights include the right to access the information in your file, dispute incomplete or inaccurate information, and request correction or deletion of inaccurate, incomplete, or unverifiable information. For more information about the FCRA and your rights, you may visit www.consumer.ftc.gov/sites/default/files/articles/pdf/pdf-0096-fair-credit-reporting-act.pdf; or www.ftc.gov.
 
Health Management Systems of America may be contacted by mail at 601 Washington Boulevard
Detroit, Michigan 48226.