Notice of security incident for TBH clients from 2015 and prior years

7.20.20 Update: You should have received a letter from CodeMetro outlying the steps they have taken and for those of you whose Social Security number may have been accessed offering credit monitoring at no cost to you. If you do not receive a letter from CodeMetro you may visit the website below for additional information or contact TBH for assistance at compliance@tbh.com.

Valued TBH Client,

Unfortunately, we need to inform you of a data security incident at a former technology vendor of TBH that may have affected some of your family’s personal information.

CodeMetro provides software solutions to applied behavior analysis providers, including Trumpet Behavioral Health. Trumpet utilized CodeMetro’s software application from 2012 until 2015. Although we are no longer an active customer of CodeMetro, they do currently archive data from certain client files. It is this archival data that was breached. CodeMetro sent notices to its customers at the end of May, and TBH became aware of the incident on June 3, 2020.

You should have received a letter from CodeMetro outlying the steps they have taken and offering credit monitoring at no cost to you. If you do not receive a letter from CodeMetro you may visit the website below for additional information or contact TBH for assistance at compliance@tbh.com.

The following information is based on CodeMetro’s report to us:

On April 21, 2020, CodeMetro systems suffered a ransomware attack, which was detected within hours of its deployment. Upon discovery, CodeMetro took immediate steps to contain the threat and engaged a third-party forensic firm to investigate the incident and assist with remediation efforts. CodeMetro also notified federal law enforcement authorities of the incident.

Their investigation has found that prior to deploying the ransomware, the criminals were able to access a database server and deploy tools to copy and remove some data. The database server contained health-related patient information.

CodeMetro was able to determine that your personal information may have been potentially involved. The patient information that was involved may have included (1) information to identify and contact the patient (such as patient name, patient picture, parent/legal guardian name, guarantor name, address, email address, phone number, date of birth, gender, and ethnicity); (2) school information (school name, Individualized Education Program (IEP) start and review dates, assessment and psychological evaluation dates, and eligibility type (type of behavioral or developmental condition or impairment)); (3) health insurance information (payer name, payer contract dates, policy information including type and deductible amount, and policy ID number); and (4) medical information (dates of enrollment with our services, authorized services, allotted time/number of sessions, diagnostic codes and modifiers, charge/reimbursement rates, outcomes, and provider names). If your child was covered under TRICARE, the health insurance ID number may be a guarantor/legal guardian’s Social Security number.

We encourage you to remain vigilant in monitoring your account statements, bills, notices, credit reports, and insurance transactions for any unusual or unauthorized activity, and to promptly report such incidents.

If you have additional questions about this matter or do not receive the communication from CodeMetro, you should visit www.codemetrotransparency.com, or call toll-free 1-855-907-2106. The call center will be open from 9:00 AM to 9:00 PM Eastern time, Monday through Friday, except holidays. We apologize for any concern this incident may cause you and we greatly appreciate your understanding.

We sincerely regret that this incident occurred. We take the privacy of your personal information seriously and regret that a former vendor of ours suffered this attack. We will continue to evaluate our vendor relationships, their security obligations and our records retention policies to ensure we are protecting your personal data appropriately. If you have additional questions, please contact compliance@tbh.com.

Sincerely,
Ned Carlson
CEO
Trumpet Behavioral Health