Please note: Notification letters were mailed on August 23 to all individuals who were impacted by this data breach.
What happened?
In early July, cybercriminals executed a ransomware attack upon internal data servers at OHC, effectively encrypting and holding our data hostage. The group also demanded that OHC pay a ransom in the millions of dollars in order to avoid the release of the data to the public. OHC made an offer to the cybercriminals to prevent the release of the data. On August 7, the cybercriminals rejected the offer. The personal information of certain stakeholders may now be accessible to those who may be looking for it.
How did this happen?
In most cases, ransomware is spread through phishing emails that contain malicious attachments or through a user unknowingly visiting an infected website, automatically downloading and installing malware without the user's knowledge.
What personal information was exposed?
No credit card information was accessed or stolen as part of this breach.
Names, addresses, and Social Security numbers of current and former OHC employees (from 2009 to 2023) could have been accessed. Cybercriminals may have gained access to W-9 reports and other records revealing the names and personal Social Security numbers of vendors who contracted to provide services to OHC. They also may have gained access to images of checks provided to OHC by some members and donors beginning in 2020.
How many people are involved?
In total, the information of 7,600 individuals has potentially been exposed.
What help are we providing to those impacted here as a result?
Those impacted may sign up for free credit monitoring for one year at this address: https://response.idx.us/ohc. They may also take advantage of your rights to the free fraud alert services offered by the three major credit bureaus. Our breach communications partner, IDX, has set up a call center at 1-888-566-6462 or by visiting the IDX response site above. The IDX call center will be open 9 a.m. to 9 p.m eastern time.
Have the police been/local authorities been notified?
OHC has notified the FBI and retained forensic IT consulting firms to help it determine the extent of the data breach and to assist in reconstructing its systems and restoring its data.
Why didn't you tell affected individuals about the loss of the data sooner?
With any such event, it takes time to gather the relevant information as to the extent of the breach, identify the affected individuals, hold the necessary internal discussions. OHC was diligent with the investigation to ensure the appropriate protection services would be provided.
What is OHC doing to prevent this kind of loss from happening again?
In restoring its data and systems, OHC has moved a vast majority of its data to cloud-based services, and has implemented new security systems, features and measures intended to reduce its vulnerability to future attacks and better protect personally identifiable information. It has obtained advice and direction from the IT consultants it has employed throughout this process.
Has the information been misused?
At this time, there is no evidence that there has been any use or attempted use of the information exposed in this incident.
What are the risks of identity theft with the information that was exposed?
Receiving a notification letter does not mean that you are a victim of identity theft.
We are recommending that people review their letter and the recommendations provided. At this time, there is no reason to believe that your information is at risk, as a result of this incident.
