Kansas City, MO – November 12, 2020 – Cornerstones of Care was recently notified of a data security incident that may have affected its patients.

On July 16, 2020, Cornerstones of Care was notified by Blackbaud of a data security incident. The incident involved a ransomware attack that was successfully mitigated, but the attacker removed the backup data files of hundreds of organizations worldwide, including Cornerstones of Care. With the assistance of law enforcement and forensic investigators, Blackbaud was able to receive confirmation that the backup data was destroyed and has confirmed that it has not been found anywhere on the internet at this time. At the time of the initial notification on July 16th, Cornerstones of Care had no reason to believe that the protected health information of our patients had been impacted in the incident. However, on September 17, 2020 Blackbaud informed Cornerstones of Care that additional information including, potentially, some personal information and information about care received at Cornerstones of Care may have been impacted.

A small number of patients may also have had their social security number impacted due to storage in legacy Blackbaud systems. Cornerstones of Care has sent letters to many of these patients, but lacked a mailing address for others. If you received care from Cornerstones of Care in the early 2000’s and have not received a letter stating that your social security number is not impacted, you may contact us at the telephone number below to inquire as to whether your social security number was potentially affected. Again, only a small number of patients potentially had their social security number affected.

Notification letters mailed today include information about the incident and steps individuals can take to monitor and protect their personal information. Cornerstones of Care has established a toll-free call center to answer questions about the incident and related concerns. The call center is available Monday through Friday from 9:00 a.m. to 9:00 p.m., Eastern Time and can be reached at 855-914-4682. 

The following information is provided to help individuals wanting more information on steps they can take to protect themselves.

Remain vigilant for incidents of fraud and identity theft by reviewing monitoring your credit reports for unauthorized activity. You may obtain a copy of your credit report, free of charge, whether or not you suspect any unauthorized activity on your account. You may obtain a free copy of your credit report from each of the three nationwide credit reporting agencies. To order your free credit report, please visit www.annualcreditreport.com, or call toll-free at 1-877-322-8228. You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available at https://www.consumer.ftc.gov/articles/0155-free-credit-reports) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281.

You can obtain information from Federal Trade Commission about fraud alerts, security freezes, and steps you can take toward preventing identity theft:

Federal Trade Commission
Consumer Response Center
600 Pennsylvania Ave, NW
Washington, DC 20580
1-877-IDTHEFT (438-4338)

Fraud Alerts: You can place fraud alerts with the three credit bureaus by phone and online with Equifax (https://assets.equifax.com/assets/personal/Fraud_Alert_Request_Form.pdf), Experian (https://www.experian.com/fraud/center.html), or Transunion (https://www.transunion.com/fraud-victim-resource/place-fraud-alert). A fraud alert tells creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit. Initial fraud alerts last for one year. Victims of identity theft can also get an extended fraud alert for seven years. The phone numbers for all three credit bureaus are at the bottom of this page.

Monitoring: You should always remain vigilant and monitor your accounts for suspicious or unusual activity.

Security Freeze: You also have the right to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans, and services from being approved in your name without your consent. To place a security freeze on your credit report, you need to make a request to each consumer reporting agency. You may make that request by certified mail, overnight mail, regular stamped mail, or by following the instructions found at the websites listed below. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse or a minor under the age of 16, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; (5) Proof of current address, such as current utility or telephone bill, bank or insurance statement; (6) legible photocopy of government-issued identification card (state driver's license or ID card, military identification, etc.); and (7) if you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. It is free to place, lift, or remove a security freeze. You may also place a security freeze for children under the age of 16. You may obtain a free security freeze by contacting any one or more of the following national consumer reporting agencies:

Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348-5788

Experian Security Freeze
P.O. Box 9554
Allen, TX 75013-9544

TransUnion (FVAD)
P.O. Box 160
Woodlyn, PA 19094

More information can also be obtained by contacting the Federal Trade Commission listed above. 

Protecting Medical Information: To date, we have no reason to believe that your PHI potentially involved in this incident was or will be used for any unintended purposes. As a general matter, however, the following steps can help protect you from medical identity theft.

  • Do not share health insurance cards with anyone apart from your care providers and other family members who are covered under the insurance plan or who help you with your medical care.
  • Review the “explanation of benefits statements” that you receive from your health insurance company. If you see something amiss, follow up with your insurance company or the health care provider identified on the explanation of benefits to request further information.
  • Ask your health insurance company for a report on all services they have paid for you for the current year. If you do not recognize an item in that list, speak with your insurance company to verify it.