Pathology Resource Network (“PRN”) and North Mississippi Health Services (“NMHS”) are providing notice of a data security incident that occurred at Cadence Bank (“Cadence”), which provides treasury management (or “lockbox”) services1 to PRN and NMHS. Pathology Resource Network is a healthcare management company serving Delta Pathology, Omega Diagnostics, Pathology Associates of Mid Louisiana, and Diagnostic Tissue Cytology Group, which is located in the Shreveport, Louisiana area. NMHS and its affiliates are healthcare providers located in the Tupelo, Mississippi area.
On June 1, 2023, Cadence learned of a previously unknown (or “zero-day”) vulnerability affecting MOVEit Transfer (“MOVEit”), a file transfer application owned by Progress Software Corporation (“Progress”). Cadence immediately implemented patches issued by Progress for MOVEit as they became available. Cadence also engaged outside counsel, which launched an investigation with the assistance of a leading cybersecurity firm and data analytics firm and reported the matter to law enforcement. Through the investigation, on June 18, 2023, Cadence determined that an unauthorized third-party exploited the zero-day vulnerability and accessed and downloaded information being stored within the MOVEit application between May 28-31, 2023. Based on the ongoing comprehensive data analysis, Cadence determined that your personal information may have been involved. Cadence notified NMHS and PRN of the incident on September 1, 2023 and September 7, 2023, respectively. Cadence, PRN, and NMHS each performed additional enrichment and validation efforts to identify a valid address for you, which were completed on October 18, 2023.
The personal information involved may have included: name, address, date of birth, Social Security number, driver’s license number, health insurance information, medical and/or treatment information (e.g., medical record number, dates of service, medications, diagnostic and/or surgical information), and billing and claims information, including financial account information (e.g., credit card number, bank account number, account statements). Please note that not all data elements were involved for each individual. To date, Cadence is not aware of any actual fraud or identity theft instances involving your information.
Cadence takes the security of personal information very seriously. Upon learning of the vulnerability, Cadence launched a forensic investigation, took steps to mitigate and remediate the incident and help prevent further unauthorized activity, and contacted law enforcement. In response to this incident and as part of its ongoing effort to stay ahead of evolving threats, Cadence has further enhanced its security and monitoring practices and strengthened its systems to minimize the risk that a similar incident occurs in the future.
The “Additional Resources” tab at the bottom of this page includes additional information on general steps you can take to monitor and protect your personal information. Please review the Additional Resources. We also encourage you to carefully review statements sent from healthcare providers and insurance companies to ensure that all account activity is valid. Any questionable charges should be promptly reported to the provider or company with which the account is maintained. Cadence has arranged to offer free identity protection services to individuals whose Social Security number, driver’s license number, or financial account information may have been involved.
For the next 90 days, if you have any questions about this matter or would like additional information, please call toll-free 1-888-566-3567. This call center is open from 9 am – 9 pm Eastern Time, Monday through Friday, except holidays. This substitute notice and toll-free number will remain active for at least 90 days.
We apologize for any inconvenience this incident may cause you and want to assure you that we take this matter seriously. Individuals affected by this incident are being mailed notice letters. Since there may be insufficient contact information for some individuals, however, we are posting this substitute notice as permitted by the Health Insurance Portability and Accountability Act (HIPAA).
1 Lockbox banking is a service provided by banks to companies for the receipt of payment from their customers. Customers send their payments and remittance documents to a designated post office box address where the bank collects and processes the payments on behalf of the company.