We are sending this letter as part of KIPDA’s commitment to client privacy and want to make you aware of a possible privacy issue. We recently learned of a security incident that may have involved some personal health information we recently collected to perform services for you or for an individual in your care. KIPDA partners with community providers to support members of our community through the provision of individualized services such as caregiver services, in-home services, and Medicaid Waiver Program services. To perform these services, KIPDA must collect and maintain certain personal health information for the individuals we seek to serve. We want to let you know what happened involving the personal information in our possession, what steps we are taking in response, and how you can protect personal information about you or others in your care.

What Happened. On January 9, 2023, an automobile belonging to one of our employees was stolen from her home, along with the contents, which included some work papers containing personal information. When the automobile was recovered, the work papers were missing. We are notifying you because your information or the information of someone in your care may have been included in the work papers that were in the stolen automobile and could have been viewed or accessed by unauthorized persons as a result of the theft.

What Information Was Involved. The work papers in the stolen vehicle included completed Physician Recommendation forms for Medicaid Waiver services for Kentucky Medicaid program members. The personal information contained on these forms consisted of the following: The Medicaid member’s name, address, phone number, diagnosis or diagnoses, Medicaid Member ID number, a physician’s signature and the physician’s National Provider Number. The information did not include a birth date, social security number, or any financial account information.

What We Are Doing in Response. Immediately upon discovering the automobile’s theft, our employee reported it to the police as well as to KIPDA. KIPDA conducted its own investigation into the incident to identify where we can improve and update physical, technical, and administrative safeguards for our client’s personal information. We provided additional training to our staff on how to protect and secure personal information outside our offices. KIPDA is continuing to review and update our information privacy and security policies and procedures to ensure that we have adequate safeguards in place to protect personal health information.

What You Can Do. We recommend that you review the enclosed “Identity Theft: Helpful Tips and Resources” describing steps you can take to protect personal information, such as regularly reviewing financial and healthcare statements, obtaining and reviewing your free credit report, placing a fraud alert or security freeze on your credit file, and how to create a strong password. It also includes links to state attorney general and federal identity theft resources.

We take the confidentiality of the personal information we collect very seriously and apologize for any inconvenience this incident might cause you. If you have any further questions, please contact me at joanna.weiss@kipda.org or call 1-502-714- 5111 (toll free), Monday through Friday from 8 am to 4 pm Eastern Time. Voicemail messages will be returned within two business days.

Sincerely,

JoAnna Weiss, MA

Quality Management Planner KIPDA Privacy and Security Officer

IDENTITY THEFT: HELPFUL TIPS AND RESOURCES

(Current as of January 19, 2023)

Credit Reporting Agencies. Contact information for the three nationwide credit reporting agencies is:

 Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111 (1-800-465-7166 in Canada)

Experian, PO Box 2104, Allen, TX 75013, www.experian.com, 1-888-397-3742
 TransUnion, PO Box 2000, Chester, PA 19022, www.transunion.com, 1-800-888-4213 (1-877-525-3823 in Canada)
Free Credit Report. It is recommended that you watch for unauthorized activity by reviewing account statements and monitoring your credit report. You may obtain a copy of your credit report, free of charge, at least once every 12 months from each of the three nationwide credit reporting agencies. (During the pendency of the U.S. Health & Human Services Declaration of the COVID-19 Public Health Emergency, free, online credit reports are available at no charge from each credit reporting agencies.) To order your free credit report, visit www.annualcreditreport.com or call toll free at 1-877-322-8228. You can also order your free credit report by mailing a completed Annual Credit Report Request Form (available at https://www.annualcreditreport.com/manualRequestForm.action) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.
Fraud Alert. You may place a fraud alert on your file by calling one of the credit reporting agencies above. A fraud alert tells creditors to follow certain procedures, including contacting you before they open any new accounts or change your existing accounts. For that reason, while placing a fraud alert can protect you, the alert may cause a delay when you seek to obtain credit.
Security Freeze. You may place a security freeze on your credit report to prevent credit, loans and services from being approved in your name without your consent. To place a security freeze on your credit report, you may be able to use an online process, an automated telephone line, or a written request to any of the three credit reporting agencies listed above. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. The credit reporting agencies may charge a fee to place a freeze, temporarily lift it or permanently remove it. The fee is waived if you are a victim of identity theft and have submitted a valid investigative or law enforcement report or complaint relating to the identity theft incident to the credit reporting agencies. (You must review your state’s requirement(s) and/or credit bureau requirement(s) for the specific document(s) to be submitted.)
You can obtain additional information about fraud alerts and security freezes from the Federal Trade Commission (below) or the three credit reporting agencies (above).
Federal Trade Commission (FTC) and State Attorneys General Offices. If you believe you are the victim of identity theft or have reason to believe your personal information has been stolen or misused, you should immediately contact the FTC and/or the Attorney General’s office in your home state. You may also contact these agencies for information on how to prevent or avoid identity theft. You may contact the Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580, https://www.identitytheft.gov/, or phone 1-877-IDTHEFT (1-877- 438-4338).
Kentucky. Residents of Kentucky can report identity theft to the Attorney General of Kentucky by completing an online complaint form at ag.ky.com/scams or by calling the toll-free Identity Theft Hotline at 1-800-804-7556.
Tips and additional resources for protecting yourself from or responding to identity theft are available on the Kentucky Attorney General Identity Theft website at https://www.ag.ky.gov/Resources/Consumer- Resources/Consumers/Pages/Identity-Theft.aspx.
Indiana. The Attorney General of Indiana offers Indiana residents an ID theft victim kit. It includes steps for reporting the theft, resources for where to turn, and information for contacting the fraud department. A number of telephone numbers for different agencies and departments is also included in the kit. Access the kit at http://www.indianaconsumer.com/pdf/IDTheftVictimKit.pdf
Tax Fraud. Closely examine any communication that claims to be an official communication from the IRS or others in the tax industry, including tax software companies. Fraudulent schemes may involve e-mails, text messages or phone calls that seek personal information related to refunds, filing status, ordering transcripts and verifying PIN information in order to steal the taxpayer’s information and file a fraudulent tax return or commit other identity theft such as opening financial accounts or seeking healthcare. Fraudulent emails and text messages may include links to sites designed to imitate an official-looking website, such as IRS.gov. The sites may ask for personal information and carry malware that can infect computers and allow criminals to access your files or track your keystrokes to gain information. The IRS offers many security tips. To read more, go to https://www.irs.gov/newsroom/taxpayer-guide-to-identity-theft. In case of tax related fraud, take the following steps:
Internal Revenue Service. IRS Form 14039, Identity Theft Affidavit, should be filed if the taxpayer attempts to file an electronic tax return and the IRS rejects it because a return bearing the taxpayer’s Social Security number already has been filed. This Affidavit should also be filed if the IRS instructs the taxpayer to do so. Additional information is available at https://www.irs.gov/newsroom/when-to-file-a-form-14039-identity-theft-affidavit. The IRS Identity Theft phone number is 1-800-908-4490. In addition, review the recommended actions for taxpayers who are victims of tax-related identity theft: https://www.irs.gov/individuals/data-breach- information-for-taxpayers.
State. Report tax related fraud to your state department of revenue or attorney general.
FTC. File a complaint with the FTC at www.identitytheft.gov.

Financial and Healthcare Accounts and Statements. Closely monitor all financial and healthcare accounts including credit cards, checking and saving accounts, 401k retirement funds, Health Savings Accounts, etc., as well as statements related to financial accounts and healthcare services. Contact the financial institution or healthcare provider if you see unauthorized activity or if you see transactions that you do not recognize. Contact your credit card and other financial companies with whom you have relationships to alert them that your identity was compromised and to establish additional security on your personal accounts. Remain vigilant for incidents of fraud and identity theft by reviewing bank account and healthcare statements and monitoring your credit report for unauthorized activity.

Passwords. Use a different, complex 12-character password for each online account. Choose a password that is a combination of both upper- and lower-case characters, numbers, and special symbols (such as $, *, !, #, @). Do not use a password that contains any part of your name, birthdate or Social Security number, your address, or a word that is readily identified with you from online resources such as social media (e.g., pet names, friends and family member names, favorite teams, your profession, employer, etc.). Keep your passwords in a secure location. Passwords kept in your wallet, taped to the back of a device, or stored in unencrypted files on your computer or a mobile device are not secure. Consider using a password manager to record and keep your passwords secure.