NOTICE OF DATA INCIDENT

Sleep Management Institute and its affiliates (“Sleep Management” or “we”) is providing notice of an incident that may affect protected health information and/or personally identifiable information stored in our systems. 

What Happened? 

On February 5, 2024, we identified unusual activity on our computer systems with indicators consistent with a ransomware incident. We immediately began an investigation and took steps to contain the situation, including by proactively taking certain systems offline, changing passwords, notifying federal law enforcement and engaging cybersecurity and privacy professionals to assist. 

At this time, and due to the nature of the incident, the investigation is still ongoing into what data pertaining to individuals was affected. Currently, the investigation has found evidence that unauthorized actors accessed the Sleep Management systems from January 27, 2024, to February 6, 2024. While there is currently no indication that unauthorized actors have misused any information for identity theft or fraud in connection with this incident, we are providing this notice to all individuals who may be potentially affected by this situation. 

What Information Was Involved? 

While the investigation is ongoing, there is a possibility that the following types of information may have been impacted: name, address, date of birth, Social Security Number or taxpayer identification number, driver’s license number or other government-issued identification number, passport number, financial account information, payment card information, username and other credential information, digital signature, biometric data, mother’s maiden name, IRS-issued pin number, clinical or treatment information, medical provider name(s), medical procedure information, health insurance information, prescription information, and any other information on an individual that was created, used, or disclosed in the course of providing health care services.  Note that this describes general categories of information identified as present within the affected systems and may have been accessed by unauthorized actors during the incident. However, specific individuals and the extent of the information involved is not yet known. Because this investigation is ongoing, Sleep Management is providing notice to all individuals who may be potentially affected by this situation.

What We Are Doing. 

In addition to the steps described above, Sleep Management also added measures to improve the security of our systems and practices, including updating our network configurations and firewalls, deploying a 24/7 managed detection and response solution, enabling content filtering on all devices, installing intrusion prevention systems and advanced malware protection to monitor and prevent malicious network traffic, and implementing a more secure VPN protocol to better safeguard access to our networks. We have been working diligently to continue our investigation, bring systems back online as quickly and securely as possible, and add further technical safeguards to our existing protections. We continue to work with leading privacy and security professionals to aid in our investigation and response, and we are reporting this Incident to relevant government agencies.   

What Can Impacted Individuals Do? 

The investigation is ongoing and the identities of individuals who were affected are not yet known. However, out of an abundance of caution, Sleep Management encourages individuals to remain vigilant against incidents of identity theft and fraud, to review account statements, explanation of benefits forms, and to monitor free credit reports for suspicious activity and to detect errors. Under U.S. law, individuals are entitled to one (1) free credit report annually from each of the three (3) major credit reporting bureaus. Additional information and resources are outlined below. 

If you have questions for Sleep Management, you can contact us at 513-977-8882 or by email at grucosky@sleepmanagement.md. 

Steps You Can Take to Protect Your Personal Information 

To obtain a free credit report, individuals may visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. 

Alternatively, affected individuals can contact the three (3) major credit reporting bureaus directly at the addresses below: 

Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111 

Experian, PO Box 2104, Allen, TX 75013, www.experian.com, 1-888-397-3742 

TransUnion, PO Box 2000, Chester, PA 19022, www.transunion.com, 1-800-888-4213 

Free Credit Report. It is recommended that you remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your credit report for unauthorized activity. You may obtain a copy of your credit report, free of charge, once every twelve (12) months from each of the three (3) nationwide credit reporting agencies. 

To order your annual free credit report please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. 

You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available from the U.S. Federal Trade Commission’s (“FTC”) website at www.consumer.ftc.gov) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. 

Fraud Alert. You may place a fraud alert in your file by calling one (1) of the three (3) nationwide credit reporting agencies above. A fraud alert tells creditors to follow certain procedures, including contacting you before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit. 

Security Freeze.  You may obtain a security freeze on your credit report, free of charge, to protect your privacy and confirm that credit is not granted in your name without your knowledge. You may also submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report, free of charge, or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act. 

The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, you will be provided with a personal identification number, password, or similar device to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report to a specific party or parties or for a specific period of time after the freeze is in place. 

To place a security freeze on your credit report, you may be able to use an online process, an automated telephone line, or a written request to any of the three (3) credit reporting agencies listed above. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for them as well): (1) full name, with middle initial, and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five (5) years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, and display your name, current mailing address, and the date of issue. 

Federal Trade Commission and State Attorneys General Offices.

If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your home state. You may also contact these agencies for information on how to prevent or avoid identity theft. Contact information for the Consumer Response Center of the Federal Trade Commission is 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/bcp/edu/microsites/idtheft/ or 1-877-IDTHEFT (438-4338). 



Protecting Medical Information. 

If you are concerned about protecting your medical information, the following practices can provide additional safeguards to protect against medical identity theft. 

• Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care. 

• Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or care provider for any items you do not recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access (noted above) to current date. 

• Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow up with your insurance company or the care provider for any items you do not recognize.