Update: Notice of Data Breach
August 1, 2022
NOTICE OF DATA BREACH
Dear Community Member,
We are writing to tell you about a data security breach with the e-mail system at Disability Rights Ohio. The data security breach may have included your personal information. DRO takes the protection and proper use of your information very seriously. We are contacting you to explain what happened and tell you steps you can take to protect yourself.
DRO is given information by facilities and organizations that it investigates as the protection and advocacy system for people with disabilities in Ohio. It also gets information from its clients, guardians, courts, and others involved in the placement, care and oversight of its clients. This information may include names, addresses, e-mail addresses, dates of birth, and information about mental and other health conditions of its clients and other people with disabilities.
On June 15, 2022, DRO’s information technology personnel discovered a breach of the e-mail account of one DRO employee. Specifically, someone outside of DRO had unlawful access to that one employee’s email. A careful review shows that the cybercriminal who accessed the account did not have access to any other e-mail accounts or other DRO systems or data bases. The data breach was limited to this one employee’s email and thus only to those people whose names were in the one employee’s e-mail messages and attachments to those messages.
What Information Was Involved?
The cybercriminals did not gain access to your Social Security number, driver’s license or other state issued identification number, or your credit card or bank account information. They may have found your name, address, e-mail address, date of birth, and information about mental or other health conditions, if this information was in e-mail messages or their attachments.
What We Are Doing.
DRO has a new e-mail system that provides greater security. DRO has told its staff to use care in sending and storing information about clients and others in its e-mail system, and will, wherever possible, send and store information through a secure data base system already in use at DRO. DRO has retained a forensic information technology firm to help it in reviewing the breach, and to give more recommendations for improving data security.
What You Can Do.
We recommend that you look for any suspicious activity on your credit card accounts, bank accounts, or other accounts. You should promptly report any suspicious activity or suspected identity theft to DRO and to the proper law enforcement authorities, your credit card providers, and your financial institutions. You may put an initial fraud alert on your credit report. This alert will last for one year, can be canceled at any time, and is renewable. An initial fraud alert can make it harder for an identity thief to open accounts in your name.
When you have an initial fraud alert, you should be notified if there are any attempts to open new accounts using your personal information. You only need to contact one of the three national credit reporting agencies to place an alert; that agency then will contact the other two agencies. You may contact one of the following:
- TransUnion, www.transunion.com, 800-680-7289
- Equifax, www.equifax.com, 800-525-6285
- Experian, www.experian.com, 888-397-3742
You can obtain an extended seven-year alert if you provide a valid police report showing that you have been a victim of identity theft. Additionally, an active-duty alert is available to individuals on active military duty.
You may place a freeze on your credit reports. This prohibits a credit reporting agency from releasing information in your credit report without your express permission or approval. A credit freeze is designed to prevent an identity thief from using your information to be approved for credit, loans, or services in your name.
If you wish to freeze your credit with all three of the credit reporting agencies, you must send a request to each agency. You may send your requests in writing, and it must be sent by certified mail or other comparable service, or through a secured electronic method authorized by the credit reporting agencies.
When you request to freeze your credit, the credit reporting agency will provide you a unique PIN or password (not your Social Security number) for verification purposes, or you will be asked to create a unique username and password.
You can request a temporary lifting of the credit freeze at any time.
There are no charges to place, temporarily lift, or remove a credit freeze.
If you would like more information, or you suspect that your identity has been stolen or your personal information has been used improperly, you can contact the Federal Trade Commission and your state’s attorney general:
Federal Trade Commission Ohio Attorney General
600 Pennsylvania Avenue NW Consumer Protection Section
Washington, DC 20580 30 E. Broad St., 14th Floor
www.ftc.gov Columbus, Ohio 43215
(202) 362-2222 www.ohioattorneygeneral.gov
Further, if you suspect that your identity has been stolen or that your personal information is being used, you should also contact the national credit reporting agencies:
Equifax Credit Information Services, LLC TransUnion Consumer Relations
PO Box 740241 PO Box 2000
Atlanta, GA 30374 Chester, PA 19016-2000
(888) 548-7878 (800) 916-8800
Experian National Consumer Assistance
PO Box 4500
For More Information
We sincerely apologize that this happened and regret any inconvenience it may cause you. Should you have further questions or concerns regarding this breach or the protections available to you, please contact Laura Osseck at 614-466-7264 ext. 123.