Data Incident - Kitsap Mental Health Services

Notice of Data Incident

What Happened?

On October 17, 2024, during routine monitoring of our systems, Kitsap Mental Health Services (“KMHS” or “we”) detected suspicious activity in our business network. We immediately began an investigation and took steps to contain and remediate the situation, including by changing passwords, deploying tools for increased monitoring, reporting to law enforcement, and engaging data security and privacy experts to assist.

Due to the nature of the incident, the investigation is still ongoing into what data pertaining to individuals was affected. Currently, the investigation has found evidence that on September 17, 2024 and between October 8, 2024 and October 19, 2024, an unauthorized actor accessed some KMHS systems. There is currently no evidence of identity theft or fraud in connection with this incident.

What Information Was Involved?

Based on the current findings of the investigation, the following types of information may have been impacted: name, address, birth date, Social Security number, driver’s license or state identification number, medical diagnosis, condition, and/or treatment information, medications, claims information, financial information, and any information on an individual that was created, used, or disclosed in the course of providing health care services.

These are general categories of information that we believe may be present within the affected systems and may have been accessed by unauthorized actors during the incident. However, specific individuals and the extent of the information accessed are not yet known. While our investigation is ongoing, we are providing this notice to all individuals who may potentially be affected by this situation.

What We Are Doing

In addition to the actions described above, the KMHS team has been working diligently to continue our investigation and adopt additional safeguards on top of our existing protections. We continue to work with leading data security and privacy firms to aid in our investigation and response, and we are reporting this incident to relevant government agencies.

What Can Impacted Individuals Do?

The investigation is ongoing and the identities of individuals who were affected is not yet known. However, out of an abundance of caution, KMHS encourages individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and to monitor free credit reports for suspicious activity and to detect errors. Under U.S. law, individuals are entitled to one (1) free credit report annually from each of the three (3) major credit reporting bureaus. Additional information and resources are outlined below.

If you have questions for KMHS, you can call us toll-free at 1-800-627-0335, contact us by email at compliance@kmhs.org, or by mail at 5455 Almira Drive NE, Bremerton, WA 98311, Attention: Compliance.

Steps You Can Take to Protect Your Personal Information

To obtain a free credit report, individuals may visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228.

Alternatively, affected individuals can contact the three (3) major credit reporting bureaus directly at the addresses below:

Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111

Experian, PO Box 2104, Allen, TX 75013, www.experian.com, 1-888-397-3742

TransUnion, PO Box 2000, Chester, PA 19022, www.transunion.com, 1-800-888-4213

Free Credit Report.  It is recommended that you remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your credit report for unauthorized activity.  You may obtain a copy of your credit report, free of charge, once every twelve (12) months from each of the three nationwide credit reporting agencies.

To order your annual free credit report please visit www.annualcreditreport.com or call toll free at 1-877-322-8228.

You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available from the U.S. Federal Trade Commission’s (“FTC”) website at www.consumer.ftc.gov) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.

Fraud Alert – You may place a fraud alert in your file by calling one of the three nationwide credit reporting agencies above.  A fraud alert tells creditors to follow certain procedures, including contacting you before they open any new accounts or change your existing accounts.  For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit.

Security Freeze –  You may obtain a security freeze on your credit report, free of charge, to protect your privacy and ensure that credit is not granted in your name without your knowledge.  You may also submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft.  You have a right to place a security freeze on your credit report, free of charge, or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act.

The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.  The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent.  When you place a security freeze on your credit report, you will be provided with a personal identification number, password, or similar device to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report to a specific party or parties or for a specific period of time after the freeze is in place.

To place a security freeze on your credit report, you may be able to use an online process, an automated telephone line, or a written request to any of the three credit reporting agencies listed above.  The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles.  The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement.  It is essential that each copy be legible, and display your name, current mailing address, and the date of issue.

Federal Trade Commission and State Attorneys General Offices –  If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your home state.  You may also contact these agencies for information on how to prevent or avoid identity theft. Contact information for the Consumer Response Center of the Federal Trade Commission is 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/bcp/edu/microsites/idtheft/ or 1-877-IDTHEFT (438-4338).

Protecting Medical Information

If you are concerned about protecting your medical information, the following practices can provide additional safeguards to protect against medical identity theft.

Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care.
Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or care provider for any items you do not recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access (noted above) to current date.
Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow up with your insurance company or the care provider for any items you do not recognize.

7:00 AM	Shift begins; check in with night shift to ensure continuity for ongoing cases
8:00 AM	Outreach presentation to regional high school counselors
8:55 AM	Drive to a South Kitsap middle school for a “warm hand-off” of youth to new support services
9:20 AM	Receive call from a Central Kitsap middle school counselor on the way to South Kitsap
9:35 AM	In South Kitsap, meet with a youth’s mom, dad, school support staff and new school-based WISe intensive support team to discuss care for young person whose behaviors have led to severe weight loss; resolution includes therapy for the youth and an appointment at Kitsap Resolution Center for parents to work on co-parenting skills
11:20 AM	Lunch
12:00 PM	Answer emails and enter progress notes in client charts
1:20 PM	Follow up with a client by phone
1:40 PM	Follow up with a client at the Crisis Triage Center
2:15 PM	Drive to a Central Kitsap middle school to provide support with school counselor for youth who is drawing pictures that indicate suicidal thoughts; refer to WISe intensive support team
4:35 PM	Answer crisis call with adult who tried to suffocate themself; talk to paramedics and caller’s family; client is taken to St. Michael Medical Center
5:55 PM	Follow up with a youth’s parents to offer resources covered by their insurance
7:00 PM	Shift ends

Donations	$57,706
Investment Income	$2,350,966
Medicaid Managed Care	$40,516,387
Other Contracts/Misc	$16,788,859
Private Fee/Insurance	$439,572
Total	$60,153,490

24/7 Evaluation & Treatment, Residential, Supported Housing	$12,105,599
Adult Services	$16,363,069
Child & Family Services	$10,222,802
Emergency Services	$5,106,174
General & Administrative	$13,284,787
Total	$57,082,431

Notice of Data Incident

Steps You Can Take to Protect Your Personal Information

Protecting Medical Information

Stay Up to Date with KMHS