As described in the notice below, an unauthorized third-party exploited the zero-day vulnerability affecting MOVEit Transfer and accessed and downloaded information being stored within the MOVEit application between May 28-31, 2023. Based on the comprehensive data analysis that was performed and ultimately completed in late October 2023, it was determined that personal information associated with PRN and NMHS may have been involved. Cadence notified PRN and NMHS on November 9, 2023. Cadence, PRN, and NMHS have since performed additional enrichment and validation efforts to identify a valid address for you.
Based on the review, the personal information involved may have included: name, address, date of birth, Social Security number, driver’s license number, health insurance information, medical and/or treatment information (e.g., medical record number or other patient identifier, medications), and billing and claims information, including financial account information (e.g., credit card number, bank account number). Please note that not all data elements were involved for each individual. To date, Cadence is not aware of any actual fraud or identity theft instances involving your information.
Until March 28, 2024, individuals associated with PRN and NMHS may visit https://response.idx.us/MOVEitincident2023 or call toll-free (888) 566-3567 to ask questions and learn additional information. Further information about this incident is provided below in the notice originally posted on October 27, 2023.
Pathology Resource Network (“PRN”) and North Mississippi Health Services (“NMHS”) are providing notice of a data security incident that occurred at Cadence Bank (“Cadence”), which provides treasury management (or “lockbox”) services1 to PRN and NMHS. Pathology Resource Network is a healthcare management company serving Delta Pathology, Omega Diagnostics, Pathology Associates of Mid Louisiana, and Diagnostic Tissue Cytology Group, which is located in the Shreveport, Louisiana area. NMHS and its affiliates are healthcare providers located in the Tupelo, Mississippi area.
On June 1, 2023, Cadence learned of a previously unknown (or “zero-day”) vulnerability affecting MOVEit Transfer (“MOVEit”), a file transfer application owned by Progress Software Corporation (“Progress”). Cadence immediately implemented patches issued by Progress for MOVEit as they became available. Cadence also engaged outside counsel, which launched an investigation with the assistance of a leading cybersecurity firm and data analytics firm and reported the matter to law enforcement. Through the investigation, on June 18, 2023, Cadence determined that an unauthorized third-party exploited the zero-day vulnerability and accessed and downloaded information being stored within the MOVEit application between May 28-31, 2023. Based on the ongoing comprehensive data analysis, Cadence determined that your personal information may have been involved. Cadence notified NMHS and PRN of the incident on September 1, 2023 and September 7, 2023, respectively. Cadence, PRN, and NMHS each performed additional enrichment and validation efforts to identify a valid address for you, which were completed on October 18, 2023.
The personal information involved may have included: name, address, date of birth, Social Security number, driver’s license number, health insurance information, medical and/or treatment information (e.g., medical record number, dates of service, medications, diagnostic and/or surgical information), and billing and claims information, including financial account information (e.g., credit card number, bank account number, account statements). Please note that not all data elements were involved for each individual. To date, Cadence is not aware of any actual fraud or identity theft instances involving your information.
Cadence takes the security of personal information very seriously. Upon learning of the vulnerability, Cadence launched a forensic investigation, took steps to mitigate and remediate the incident and help prevent further unauthorized activity, and contacted law enforcement. In response to this incident and as part of its ongoing effort to stay ahead of evolving threats, Cadence has further enhanced its security and monitoring practices and strengthened its systems to minimize the risk that a similar incident occurs in the future.
The “Additional Resources” tab at the bottom of this page includes additional information on general steps you can take to monitor and protect your personal information. Please review the Additional Resources. We also encourage you to carefully review statements sent from healthcare providers and insurance companies to ensure that all account activity is valid. Any questionable charges should be promptly reported to the provider or company with which the account is maintained. Cadence has arranged to offer free identity protection services to individuals whose Social Security number, driver’s license number, or financial account information may have been involved.
For the next 90 days, if you have any questions about this matter or would like additional information, please call toll-free 1-888-566-3567. This call center is open from 9 am – 9 pm Eastern Time, Monday through Friday, except holidays. This substitute notice and toll-free number will remain active for at least 90 days.
We apologize for any inconvenience this incident may cause you and want to assure you that we take this matter seriously. Individuals affected by this incident are being mailed notice letters. Since there may be insufficient contact information for some individuals, however, we are posting this substitute notice as permitted by the Health Insurance Portability and Accountability Act (HIPAA).
1 Lockbox banking is a service provided by banks to companies for the receipt of payment from their customers. Customers send their payments and remittance documents to a designated post office box address where the bank collects and processes the payments on behalf of the company.
Cadence Bank is offering IDX identity theft protection services which helps protect your identity with:
Credit monitoring (for adults) that alerts you to any changes to your credit report
CyberScan will monitor criminal websites, chat rooms, and bulletin boards for illegal selling or trading of your personal information
Up to $1,000,000 in insurance reimbursements, covering certain expenses that you may incur in responding to an ID theft event
Access to Fraud Resolution Representatives to resolve identity theft issues
Exclusive educational materials on protecting your identity including instructive articles, up-to-date information on new identity theft scams and tips for protecting yourself
Carefully review statements sent to you from your healthcare providers, insurance company, and financial institutions to ensure that all of your account activity is valid. Report any questionable charges promptly to the provider or company with which you maintain the account.
Your health care provider’s office may ask to see a photo ID to verify your identity. Please bring a photo ID with you to every appointment if possible. Your provider’s office may also ask you to confirm your date of birth, address, telephone, and other pertinent information so that they can make sure that all of your information is up-to-date. Please be sure and tell your provider’s office when there are any changes to your information. Carefully reviewing this information with your provider’s office at each visit can help to avoid problems and to address them quickly should there be any discrepancies.
To order your free annual credit report, visit www.annualcreditreport.com, call toll-free at (877) 322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s (“FTC”) website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. The three credit bureaus provide free annual credit reports only through the website, toll-free number or request form.
Upon receiving your credit report, review it carefully. Look for accounts you did not open. Look in the “inquiries” section for names of creditors from whom you have not requested credit. Some companies bill under names other than their store or commercial names; the credit bureau will be able to tell if this is the case. Look in the “personal information” section for any inaccuracies in information (such as home address and Social Security Number).
If you see anything you do not understand, call the credit bureau at the telephone number on the report. Errors may be a warning sign of possible identity theft. You should notify the credit bureaus of any inaccuracies in your report, whether due to error or fraud, as soon as possible so the information can be investigated and, if found to be in error, corrected. If there are accounts or charges you did not authorize, immediately notify the appropriate credit bureau by telephone and in writing. Information that cannot be explained should also be reported to your local police or sheriff’s office because it may signal criminal activity.
If you detect any unauthorized transactions in any of your financial accounts, promptly notify the appropriate payment card company or financial institution. If you detect any incidents of identity theft or fraud, promptly report the matter to your local law enforcement authorities, state Attorney General and the FTC.
You can contact the FTC to learn more about how to protect yourself from becoming a victim of identity theft by using the contact information below:
Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, DC 20580
To protect yourself from possible identity theft, consider placing a fraud alert on your credit file. A fraud alert helps protect against the possibility of an identity thief opening new credit accounts in your name. When a credit grantor checks the credit history of someone applying for credit, the credit grantor gets a notice that the applicant may be the victim of identity theft. The alert notifies the credit grantor to take steps to verify the identity of the applicant. You can place a fraud alert on your credit report by calling any one of the toll-free fraud numbers provided below. You will reach an automated telephone system that allows flagging of your file with a fraud alert at all three credit bureaus.
P.O. Box 105069
Atlanta, Georgia 30348
P.O. Box 9554
Allen, Texas 75013
P.O. Box 2000
Chester, PA 19016
You have the right to request a credit freeze from a consumer reporting agency, free of charge, so that no new credit can be opened in your name without the use of a PIN number that is issued to you when you initiate a freeze. A security freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. If you place a security freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze. Therefore, using a security freeze may delay your ability to obtain credit.
Unlike a fraud alert, you must separately place a security freeze on your credit file at each credit bureau. To place a security freeze on your credit report you must contact the credit reporting agency by phone, mail, or secure electronic means and provide proper identification of your identity. The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue.
Below, please find relevant contact information for the three consumer reporting agencies:
Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
Experian Security Freeze
P.O. Box 9554
Allen, TX 75013
P.O. Box 160
Woodlyn, PA 19094
Once you have submitted your request, the credit reporting agency must place the security freeze no later than 1 business day after receiving a request by phone or secure electronic means, and no later than 3 business days after receiving a request by mail. No later than five business days after placing the security freeze, the credit reporting agency will send you confirmation and information on how you can remove the freeze in the future.