Posted On November 3, 2022 Consumer Privacy & Data Breaches
On October 31, 2022, Three Rivers Provider Network (“TRPN”) filed notice of a data breach with the Vermont Attorney General after the company learned that an unauthorized party had gained access to an employee email account containing sensitive consumer information. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, dates of birth, addresses, Social Security numbers, passport numbers, driver’s license or state-issued ID numbers, and health information. After confirming that consumer data was leaked, TRPN began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the TRPN data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Three Rivers Provider Network.
The available information regarding the Three Rivers Provider Network breach comes from the company’s filing with the Office of the Vermont Attorney General as well as notice provided on the TRPN website. According to these sources, on June 3, 2022, TRPN learned that an unauthorized party had gained access to a single employee’s email account. In response, the company secured the affected account and launched an investigation to determine the nature and scope of the incident, as well as what, if any, consumer data was compromised.
On August 17, 2022, the company’s investigation confirmed that sensitive information belonging to certain individuals was among the data accessible to the unauthorized party through the compromised email account.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Three Rivers Provider Network began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, date of birth, address, Social Security number, passport number, driver’s license or state-issued ID number, and health information
On October 31, 2022, Three Rivers Provider Network sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Founded in 1996, Three Rivers Provider Network is a proprietary provider of insurance coverage based in Las Vegas, Nevada. The company has a network of more than 4.3 million provider locations, including than 5,000 hospitals and 75,000 ancillary facilities such as acute care hospitals, surgery centers, network physicians, MRI centers, laboratories, radiology practices, urgent care clinics, home health providers, DME, chiropractors, physical therapists, and mental health providers. Three Rivers Provider Network employs more than 106 people and generates approximately $111 million in annual revenue.
In its recent data breach letter, Three Rivers Provider Network explained that the incident leading to the breach was the result of an unauthorized party gaining access to an employee’s email account. While hackers have a few different techniques to obtain an employee’s email login credentials, most email-based cyber attacks involve phishing.
Phishing is a type of cyberattack where a hacker sends an employee of a company an email hoping to get them to provide the hacker with access to their employer’s computer network. In a phishing email, hackers take one of two approaches; they either try to trick the employee into giving them information or click on a malicious link. The hacker does this by relying on principles of social engineering to make the employee believe as though they should go ahead and do what the email suggests without the need to confirm their decision with management. For example, a phishing email might ask for an employee’s login information in an email explaining that someone attempted to access the employee’s email account, and now the employee needs to “sign-in” to change their password. However, in reality, this is just a trick.
Of course, hackers disguise their attempts by sending phishing emails from a seemingly legitimate source. And phishing emails are designed to look official. For the most part, hackers are very skilled at creating fraudulent emails, and may use the correct company logo and will even use a very official-sounding email address.
The other approach is to include a malicious link in the email that, when clicked, takes the employee to a totally unrelated website that, again, appears to be legitimate. In some cases, hackers will attach malicious files to an email, asking the employee to download the file.
According to the Identity Theft Resource Center, a third of all cyberattacks in 2021 involve phishing attacks, making them the most common type of cyberattack. Primarily, this is because phishing attacks are among the easiest to carry out and have an incredibly high success rate.
For example, according to a 2021 study, United States employees receive an average of 14 malicious emails per year. However, employees in the retail sector and other highly targeted industries receive more than four times that number. Perhaps the most shocking statistic about phishing attacks is that 86% of companies reported having at least one employee click a phishing link in 2021.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the TRPN data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by Three Rivers Provider Network (the actual notice sent to consumers can be found here):
Three Rivers Provider Network is providing notice of an incident that may have involved personal information about you. The security of our network and of personal information are among our top priorities.
Three Rivers Provider Network recently detected unauthorized access and activity within one TRPN individual’s email inbox. We promptly initiated an investigation and secured the compromised account. Our investigation indicated that some personal information was present within the inbox and may have been acquired by an unauthorized party.
What information was involved?
While our investigation indicated that some personal information was present within the inbox and may have been acquired by an unauthorized party, there is no evidence that any data has been misused.
Personal information that may have been impacted includes: name, date of birth, address, social security number, passport number, driver’s license or state-issued ID number, and health information.
What are you doing?
The security of our network and of personal information are among our top priorities. We have thoroughly investigated this incident and have taken additional steps to further secure our systems. We apologize for any inconvenience caused by this matter.
We are providing notice by this announcement to anyone who may have been potentially impacted by this incident and are offering complimentary credit monitoring services to individuals based on the personal information that was potentially impacted.
How do I enroll in credit monitoring or what if I have questions?
Out of an abundance of caution, we are offering 24-months of complimentary credit monitoring services to individuals based on the personal information that was potentially impacted. To enroll in credit monitoring services, visit [Redacted] or call 1-855-904-2303 (Monday – Friday 9am-9pm EST and Saturday – Sunday 9am-6pm EST). If you have any questions regarding this notice, and to determine whether your information was impacted, please contact 1-855-904-2303.