June 19, 2020 Notice: Unauthorized Access to Database at CodeMetro Containing Personal Information
CodeMetro, a provider of software solutions such as NPAWorks to applied behavior analysis providers, announced that it suffered a ransomware attack on April 21, 2020, which was detected within hours of its deployment. Upon discovery, CodeMetro took immediate steps to contain the threat and engaged a third-party forensic firm to investigate the incident and assist with remediation efforts. CodeMetro also notified federal law enforcement authorities of the incident. CodeMetro is providing the notice and this website on behalf of the applied behavior analysis providers listed below.
CodeMetro’s investigation has found that prior to deploying the ransomware, the criminals were able to access a database server and deploy tools to copy and remove some data. It was determined that the personal health information of some of CodeMetro’s providers’ patients may have been involved, and CodeMetro notified potentially affected providers of the incident by letter dated May 29, 2020. The patient information may have included:
1. Information to identify and contact the patient (such as patient name, patient picture, parent/legal guardian name, guarantor name, address, email address, phone number, date of birth, gender, and ethnicity);
2. School information (such as school name, Individualized Education Program (IEP) start and review dates, assessment and psychological evaluation dates, and eligibility type (type of behavioral or developmental condition or impairment));
3. Health insurance information (such as payer name, payer contract dates, policy information including type and deductible amount, and policy ID number); and
4. Medical information (such as dates of enrollment with an ABA provider’s services, authorized services, allotted time/number of sessions, diagnostic codes and modifiers, charge/reimbursement rates, outcomes, and provider names).
Please note that the data fields that may have been impacted depend on the provider and not all data fields may have been involved for all individuals. If the patient is covered under TRICARE, the health insurance ID number may be a guarantor/legal guardian’s Social Security number.
CodeMetro takes data security incidents very seriously and has worked to implement the necessary steps to ensure the continued protection of data. As soon as CodeMetro discovered the incident, the company promptly launched a forensic investigation, contacted law enforcement, and took steps to remediate the incident. In response to this incident, CodeMetro also enhanced its security and monitoring as well as hardened its systems to minimize the risk of any similar incident in the future.
Individuals should carefully review credit reports and statements sent from providers as well as their insurance company to ensure that all of their account activity is valid. Any questionable charges should be promptly reported to the provider’s billing office, or for insurance statements, to your insurance company. CodeMetro is also providing additional information about general steps individuals can take to protect their information in the Reference Guide. CodeMetro is offering complimentary credit monitoring to the limited number of guarantors/legal guardians whose potential Social Security numbers may have been involved. CodeMetro will reach out to those individuals separately.
Individuals who may have been affected by this incident are being mailed notices. Since it is possible there may be insufficient or out-of-date contact information for some individuals whose information was contained on the affected CodeMetro database, the Notice is also accessible via CodeMetro’s providers’ websites consistent with HIPAA.
For the next 90 days, individuals may visit a website at www.codemetrotransparency.com or call 1-855-907-2106 (Toll-Free) to ask questions and learn additional information. This call center is open 9:00 a.m. to 9:00 p.m. ET, Monday through Friday, except holidays. This substitute notice and toll-free number will remain active for at least 90 days.