The City of Cincinnati (the “City”) recently discovered an incident that may affect the personal information of certain current or former employees of the City and their dependents. Because the City is committed to transparency and takes the protection and proper use of personal information very seriously, the City is providing information about the incident, steps the City is taking in response, and steps impacted individuals may take to guard against identity theft and fraud, to all those affected.

On April 19, 2022, the City discovered that a Request for Proposal (“RFP”) for dental and vision services that inadvertently included participant census data was posted on the City’s procurement websites. The RFP was posted on April 8 at 4PM and was removed upon discovery on April 19.

The census files contained in the posted RFP included certain personal information and protected health information (“PHI”) of prior or current participants in the City’s dental and/or vision programs. This data included name, home address, demographics information, vision and/or dental insurance information, and in some cases, Social Security number, dental claims information, and date of birth. Credit card information, banking information, and medical information such as test results or treatment records, were NOT released.

The incident did not impact AFSCME, FOP, or other City employees who do not have dental and/or vision insurance through the City. This event was not the result of a cybersecurity breach, and the City has no reason to believe any information was actually compromised or misused. However, the City is approaching this with an abundance of caution as privacy is of the utmost importance.

Today, letters are being sent by US Mail notifying impacted employees or former employees of the details related to two years of free credit monitoring services, as well as identity theft coverage. “Upon learning of this, the City immediately launched an investigation and has taken every step necessary to address the incident. The City is committed to providing impacted individuals the resources to protect themselves and their dependents, including credit monitoring and identity theft services.” Said John P. Curp, Interim City Manager.

In addition, the City is always looking for ways to improve and enhance its services, including the protection of its employees.  As part of that process, the City is reviewing its policies and processes for RFPs and sensitive information handling, and is implementing additional training. The City is also working with its healthcare consultant to apply additional protocols and training regarding information sharing practices. This matter is also being reported to the Department of Health and Human Services.

The City recommends that everyone remain vigilant for incidents of fraud and identity theft, including by reviewing account statements and monitoring free credit reports. Individuals can find information about proactively taking steps to protect themselves, including fraud alerts and security freezes, from the Federal Trade Commission and credit bureaus. Contact information for the FTC and three major credit bureaus is below:

The Federal Trade Commission

600 Pennsylvania Avenue, NW

Washington, DC 20580

1-877-ID-THEFT (1-877-438-4338)

TTY: 1-866-653-4261

www.ftc.gov/idtheft

Equifax® P.O. Box 740241 Atlanta, GA 30374-0241 1-800-685-1111 www.equifax.com

Experian P.O. Box 9701 Allen, TX 75013-9701 1-888-397-3742 www.experian.com

TransUnion® P.O. Box 1000 Chester, PA 19016-1000 1-800-888-4213 www.transunion.com

Individuals should also be aware of scam email campaigns that may target current and former City employees. These scams, designed to capture personal information (known as “phishing”), are designed to appear as if they are from the City and the emails may include a “click here” link for credit monitoring. These emails are not from the City. Individuals should not reply to the email or reach out to the senders in any way; not supply any information on the website that may open if they have clicked on an email link; and should not open any attachments in the email. The City is not calling individuals regarding this incident and is not asking for credit card information or Social Security numbers over the phone. For more guidance on recognizing scam email, please visit the FTC Website: http://www.consumer.ftc.gov/articles/0003-phishing.

The City sincerely regrets any inconvenience or concern caused by this incident. Individuals who believe they may be impacted by this incident and would like further information about this matter should contact the CoC Benefits call center Monday-Friday, 8am-5pm at 833-570-2110.