20/20 Eye Care Network - 3,253,822 health plan members - Notice of Data Security Event

RE: Notice of Data Security Event

On January 11, 2021, 20/20 was alerted to suspicious activity in its cloud storage environment and immediately secured the systems and investigated the activity. 20/20 promptly notified local law enforcement and the FBI, and began working with third-party experts to determine the full nature and scope of the incident. The investigation found that certain data was deleted during the January 11 event, and that some information was accessed or downloaded prior to deletion.

20/20 conducted a thorough investigation in an attempt to identify the information contained in the affected cloud storage environment. Unfortunately, while additional details were discovered, 20/20 was not able to conclusively determine what specific information was actually accessed or removed from its systems.

Potentially accessible information varies by individual but may include name, Social Security number, date of birth, member identification number and/or health insurance information. 20/20 reiterates that although information for individuals being notified may not have actually been accessed or acquired, it is providing notice to individuals by mail out of an abundance of caution, and including an offer for free credit monitoring together with identity theft assistance and insurance.

20/20 analyzed its member database to identify all individuals whose information could have potentially been accessed or downloaded during the incident, and worked closely with a number of health plan partners during this extensive process to validate relevant database records and obtain any missing information necessary for notification. 20/20 also notified the U.S. Department of Health & Human Services’ Office for Civil Rights and relevant state authorities.

Since learning of this incident, 20/20 has taken a number of steps to protect its systems and to help prevent something similar occurring in the future. These include reporting the incident to law enforcement and cooperating fully with their investigation, immediately resetting all passwords, and beginning a robust review of existing policies and procedures to improve security for the future.

20/20 encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud, to review account statements, and to monitor their credit reports and explanation of benefits forms for suspicious activity. If potentially impacted individuals have questions, for more information please contact our dedicated call center at (833)-580-2416, between 9 am to 6 pm Eastern time. Additionally, 20/20 is providing potentially impacted individuals with contact information for the three major credit reporting agencies, as well as providing advice on how to obtain free credit reports and how to place fraud alerts and security freezes on their credit files. The relevant contact information is below:



Equifax

P.O. Box 105069

Atlanta, GA 30348

1-888-766-0008

www.equifax.com

Experian

P.O. Box 9554

Allen, TX 75013

1-888-397-3742

www.experian.com

TransUnion

P.O. Box 2000

Chester, PA 19016

1-800-680-7289

www.transunion.com



Potentially impacted individuals may also find information regarding identity theft, fraud alerts, security freezes and the steps they may take to protect their information by contacting the credit bureaus, the Federal Trade Commission or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261.



Instances of known or suspected identity theft should also be reported to law enforcement or the individual’s state Attorney General.