Additional senior living operators, staff members and residents potentially were affected by an April software data breach originally announced in June, St. Paul, MN-based software company Tenx Systems, doing business as ResiDex Software, announced Thursday.
Personal information or protected health information — including names, Social Security numbers and medical records — of current, former or prospective residents and staff members of The Villages of Marion, IA, including the Village Ridge assisted living community and Village Place independent living community, as well as some CentraCare Health senior living communities in Minnesota, were put at risk by the data security incident, ResiDex said Thursday. The communities join dozens of others in four states previously announced as potentially being affected.
CentraCare Health has 19 senior living communities in Minnesota, according to its website. A “limited number” of them potentially were affected by the incident, ResiDex said.
ResiDex specializes in providing software for assisted living communities, group homes and other organizations providing care for older or disabled adults. The company said it became aware of the data security incident on April 9. The breach affected the company’s server infrastructure and took its systems offline, according to ResiDex.
“ResiDex immediately undertook efforts to restore its servers to a new hosting provider,” the company said. “Backups and other information maintained by ResiDex were used to enable near seamless restoration of security and services on the same day. Additionally, ResiDex took affirmative steps to further safeguard its software systems.”
A forensic investigation firm determined that ResiDex systems were first accessed around April 2 and that the ransomware was launched April 9, the company said. Investigators, however, were unable to identify any specific individuals whose personal information or protected health information may have been compromised, “due to the complexity of the event and efforts undertaken by the perpetrators to conceal their actions,” ResiDex said. Nobody may have had their information compromised, but the company said it began notifying all those potentially affected on June 7 “in an abundance of caution.”
ResiDex publicized lists of potentially affected operators in Massachusetts, Minnesota, Missouri and Tennessee on June 18. Before Thursday, the company had not directly, publicly announced that Iowa was one of the states where operators were affected by the incident, although the Iowa attorney general’s website contains two letters related to the incident.
A June 19 letter from ResiDex attorneys indicates that 812 current Iowa residents of Presbyterian Homes and Services communities could have been affected by the incident. Additionally, in a separate June 19 letter posted to the Iowa attorney general’s website on July 1, ResiDex attorneys state that a total of 802 current Iowa residents at Village Ridge and Village Place in Marion, IA, and Autumn Pointe, an assisted living community in Fort Calhoun, NE, near the Iowa state border, could have been affected by the incident.
People who have been notified or who believe that they may have been affected by the incident can call (877) 347-0184 weekdays between 9 a.m. and 9 p.m. EST, ResiDex said.