Cincinnati-based Episcopal Retirement Services said that it is implementing additional safeguards to its existing cybersecurity infrastructure and enhancing employee cybersecurity training after experiencing two ransomware attacks in recent months.
“The investigation is ongoing, but Episcopal Retirement Services believes that the unauthorized individual could have potentially obtained or accessed protected personal health information” such as first and last names, addresses, names, gender, home addresses, phone numbers, dates of birth, Social Security numbers, medical diagnoses, healthcare provider names, and insurance and Medicare numbers, the organization said in an announcement. As of Nov. 19, however, ERS said, the company had no evidence that any information had been misused.
ERS, which has three retirement communities and approximately two dozen affordable senior housing communities and also offers community services in Ohio, Kentucky and Indiana, said it also is working with external legal and cybersecurity experts to improve cybersecurity policies, procedures and protocols to help minimize the likelihood of these types of incidents from occurring in the future.
“We take the security and privacy of the information contained in our systems with the utmost seriousness,” ERS CEO Laura Lamb said in a statement. “We are fully committed to protecting the information of our staff, current residents and residents we have served in the past. We apologize for the inconvenience this incident caused.”
ERS said that around Sept. 24, the organization became aware that it was the victim of a cyber attack that affected its systems and servers. The organization said that its technology team restored and secured the systems, but then on Oct. 22, ERS experienced a ransomware attack.
“At this time, ERS learned that the September incident was also a ransomware attack,” the organization said in an announcement. “ERS immediately engaged independent third-party cybersecurity experts to assist in the remediation and investigation and contacted the FBI. Further, Episcopal Retirement Services followed the guidance set forth by the FBI and are actively working on remediation and restoration of all its systems.”
ERS said that it is notifying potentially affected individuals and sharing steps they can take to protect their information, including complimentary identity monitoring and protection services. The organization also has set up a toll-free telephone line for those who believe that their information could have been involved in the breach; the line, (800) 405-6108, is available Monday through Friday, 8 a.m. to 8 p.m. ET.
ERS recommends that potentially affected individuals monitor their account statements and credit reports and report any fraudulent activity or any suspected incidence of identity theft to their state’s attorney general and the Federal Trade Commission.