On August 14, 2023, VNS Health (“VNS”) filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights after discovering that TMG Health, a third-party vendor of VNS, experienced a data breach affecting information that VNS provided to the vendor. In this notice, VNS explains that the TMG Health data breach resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, Social Security numbers, addresses, dates of birth, billing information, and medical information. Upon completing its investigation, VNS began sending out data breach notification letters to all individuals whose information was affected by the recent data security incident.

If you received a data breach notification from VNS Health, it is essential you understand what is at risk and what you can do about it. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft, as well as discuss your legal options following the VNS Health data breach. For more information, please see our recent piece on the topic here.

What Caused the Data Breach Affecting VNS Health Customers?

The vendor data breach at VNS Health was only recently announced, and more information is expected in the near future. However, VNS’s filing with the U.S. Department of Health and Human Services Office for Civil Rights provides some important information on what led up to the breach. VNS also posted notice of the incident on its website.

According to this source, TMG Health is a vendor that provides administrative services to VNS. In relation to these services, TMG receives personal health information regarding VNS members.

On May 31, 2023, TMG Health learned of a security vulnerability affecting TMG’s MOVEit Secure File Transfer server. On June 2, 2023, TMG launched an investigation and installed all patches to remediate the MOVEit vulnerability.

On June 21, 2023, TMG Health confirmed that an unauthorized party accessed and downloaded certain files from TMG’s MOVEit server between May 30 and June 2, 2023. TMG Health informed VNS of the incident the following day, on June 22, 2203. Then, on June 27, 2023, TMG learned that the unauthorized party claimed to have some or all of the affected files.

After learning that sensitive consumer data was accessible to an unauthorized party, TMG Health reviewed the compromised files to determine what information was leaked and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, mailing address, telephone number, email address, date of birth, Social Security number, member ID, Medicare and/or Medicaid number, benefit and subsidy information, billing information, medical claims information, healthcare provider name and specialty, and dates of service.

On August 14, 2023, TMG Health sent out data breach letters to anyone who was affected by the recent data security incident. These letters should provide victims with a list of what information belonging to them was compromised.

More Information About VNS Health

VNS Health is a home and community healthcare company based out of New York City, New York. VNS also offers a variety of health plans. VNS provides a range of homecare options, including rehabilitation care, wound care, nursing care, stroke care, behavioral health care, and more. Additionally, VNS offers specialized homecare services, including healthcare escorts, gender affirmation support, and veteran’s homecare. VNS Health employs more than 10,000 people and generates approximately $1.5 billion in annual revenue.