LGAA, LLC (“LGAA”) and some its affiliated agencies (collectively, “Leavitt”) are notifying certain individuals of a security incident that may impact the privacy of a limited amount of personal information. Leavitt is unaware of any misuse of individual information but is providing notice to potentially affected individuals so they may take steps to protect themselves if they feel it is appropriate.
In March 2021, LGAA’s data center learned of possible unauthorized access to some of the data stored on its systems. The data center houses information of Leavitt’s clients and insurance plans within its systems for service and administration. Upon learning of the possible incident, with the assistance of a leading third-party cybersecurity investigation firm, an investigation was launched to confirm the nature and scope of the potential unauthorized access.
The investigation determined that certain data relating to some of Leavitt’s employees, clients and/or plan participants might have been accessed by someone without authorization between approximately February 16 and March 18, 2021. An industry-leading data analytics firm was then engaged to conduct a thorough review to determine whether sensitive information was present in the impacted files and to whom that data relates.
This time-consuming and labor-intensive review was completed on or about September 23, 2021. To locate missing address information for potentially affected individuals, as well as to determine to which plan or employer the potentially affected individuals relates, an additional subsequent comprehensive internal review was conducted. After this thorough and time-consuming review was completed on December 13, 2021, Leavitt quickly began notifying potentially affected individuals and clients.
The types of personal information potentially impacted varies by individual, but might have included: names, addresses, Social Security numbers, driver’s license or state identification numbers, medical information, health insurance information, and dates of birth.
Leavitt treats its responsibility to safeguard sensitive information as an utmost priority. As such, Leavitt responded immediately to this incident and worked diligently to provide potentially affected individuals with accurate and complete notice of the incident as soon as possible. As part of the ongoing commitment to the privacy and security of personal information in its care, Leavitt is reviewing existing internal policies and procedures relating to data protection and security.
On March 1, 2022, Leavitt began notifying potentially impacted individuals and regulatory authorities, as required. Although Leavitt is unaware of any actual or attempted misuse of any personal information potentially impacted by this incident, individuals are encouraged to remain vigilant against incidences of identity theft by reviewing account statements and explanation of benefits and by monitoring free credit reports for suspicious activity and to detect errors. Any suspicious activity should be reported to the appropriate insurance company, health care provider, or financial institution.