Choice Health Management Services has announced an email data breach that could affect an undisclosed number of residents at some of its 18 independent living, assisted living, memory care and skilled nursing facilities, as well as employees and third parties associated with those facilities.

The Claremont, NC-based company provides IT, payroll, billing and compliance functions for several senior living and care communities in North Carolina and South Carolina. 

In late 2019, the company discovered “suspicious activity” in some employee email accounts and hired a third-party forensic investigator after being unable to determine what information was accessed. The investigation concluded March 27 and found that personal health confirmation was contained in some of the email accounts, leading Choice Health to review its internal records to determine which individuals and which specific facilities were affected by the breach. The internal review was completed May 12. 

April 16 and May 22, Choice Health notified facilities about the breach and requested permission to notify residents and patients.

“Upon learning of this incident, Choice Health Management Services blocked access to the email accounts, changed the users’ account credentials, rebuilt computers to eradicate any potential virus or malware from the computer, and launched an in-depth investigation to determine the nature and scope of the incident,” a news release stated. In addition, the company said it reviewed its privacy policies and procedures and implemented additional safeguards to secure information. 

Choice Health said that the information affected by this event varied by individual but included first and last names and one or more of the following data: data of birth, Social Security number, driver’s license number, passport number, financial information, usernames and passwords, and patient medical information. The company said it was unaware of any actual misuse of personal information but provided notice “in an abundance of caution.”

Choice Health began mailing notice letters to affected individuals on June 23, the same day it published a public notice sharing steps that those affected can take.

Affected facilities offering assisted living services include Blumenthal Nursing & Rehabilitation, Catawba Valley Assisted Living, Litchford Nursing & Rehabilitation Center, Universal Health Care / Lillington and UHC / Oxford. Facilities providing memory care services affected by the breach include UHC / Brunswick and UHC / Ramseur.