Notice of Data Privacy Event
About the data privacy event
Tomo Drug Testing (“Tomo”) recently discovered an incident that may affect the security of personal information of certain individuals, including those who have previously submitted to drug screening services through Tomo. We take this incident very seriously, and we have been working diligently with the assistance of third-party forensic investigators to determine the full nature and scope of this incident. We are taking additional actions to strengthen the security of our systems moving forward.
What happened? On April 23, 2019 and May 9, 2019, an unauthorized actor gained remote access to our system and claimed to have downloaded and removed certain information from our customer database. We discovered this incident on April 23, 2019 and immediately launched an investigation, with the aid of forensic experts, to determine the nature and scope of this incident. Tomo learned that certain files were deleted or removed from the database. Tomo undertook a lengthy and labor-intensive process to identify the personal information contained in the impacted database. Tomo confirmed the individuals impacted by this incident on or about July 1, 2019, and has worked since that time to notify all required parties and obtain mailing addresses for the impacted individuals where possible. While the investigation was unable to confirm whether the information contained in the database was downloaded or removed, Tomo is notifying you in an abundance of caution because we have confirmed that information regarding drug testing you submitted to was present in the database.
What information may have been affected by this incident? Tomo is unable to confirm whether your information was actually taken by the unauthorized individual. Our investigation confirmed that the information present in the impacted database includes the following types of information for individual drug screening subjects: name, driver’s license number or state identification card number or Social Security number, and drug test results.
Although we cannot confirm that any individual’s personal information was actually accessed or taken without permission, we are providing this notice out of an abundance of caution. We have no evidence of actual or attempted misuse of any individual’s information as a result of this incident.
How will individuals know if they are affected by this incident? Tomo is mailing notice letters to the individuals whose protected information was contained within the impacted database and may have been accessed or taken by an unauthorized actor. If an individual did not receive a letter but would like to know if they are affected, they may call the hotline listed below.
What is Tomo doing about this incident? Information privacy and security are among our highest priorities. Tomo has strict security measures to protect the information in our possession. Upon learning of this incident, we quickly changed the passwords and privileges that provided access to the database and restored the data from our backups. We have since migrated our databases to a new system with additional security measures and removed our databases from the prior system. We are currently implementing additional technical safeguards to prevent similar future incidents. We are also offering the impacted individuals access to complimentary credit monitoring services as an added precaution. Because Tomo has insufficient contact information for some of the individuals whose information may be contained in the impacted database, we are providing notice to potentially impacted individuals by way of a notification published to certain state media outlets. Tomo is mailing notice letters to those individuals for whom it has confirmed mailing address information. We are also notifying certain state regulators.
Whom should individuals contact for more information? If individuals have questions or would like additional information, they may call our dedicated assistance line at 1-833-680-7832 (toll free), Monday through Friday, 8:00 a.m. to 5:30 p.m., CST.
What can individuals do to protect their information?
Monitor Your Accounts. To protect against the possibility of identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements, and to monitor your credit reports for suspicious activity.
Credit Reports. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report.
Security Freeze. You have the right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. In order to request a security freeze, you will need to supply your full name, address, date of birth, Social Security number, current address, all addresses for up to five previous years, email address, a copy of your state identification card or driver’s license, and a copy of a utility bill, bank or insurance statement, or other statement proving residence.
Should you wish to place a security freeze, please contact the major consumer reporting agencies listed below:
P.O. Box 9554
Allen, TX 75013
P.O. Box 2000
Chester, PA 19016
P.O. Box 105788
Atlanta, GA 30348
To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three (3) business days after receiving your request to remove the security freeze.
As an alternative to a security freeze, you have the right to place an initial or extended “fraud alert” on your file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the agencies listed below:
P.O. Box 2002
Allen, TX 75013
P.O. Box 2000
Chester, PA 19016
P.O. Box 105069
Atlanta, GA 30348
Additional Information. You can further educate yourself regarding identity theft, and the steps you can take to protect yourself, by contacting your state Attorney General or the Federal Trade Commission. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue, NW, Washington, DC 20580; www.ftc.gov/idtheft; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should be reported to law enforcement, your Attorney General, and the FTC. You can also further educate yourself about placing a fraud alert or security freeze on your credit file by contacting the FTC or your state’s Attorney General. For Maryland residents, the Attorney General can be contacted by mail at 200 St. Paul Place, Baltimore, MD, 21202; toll-free at 1-888-743-0023; by phone at (410) 576-6300; consumer hotline (410) 528-8662; and online at www.marylandattorneygeneral.gov. For New Mexico residents, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to be provided to employers; you may limit “prescreened” offers of credit and insurance you get based on information in your credit report; and you may seek damages from violator. You may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage you to review your rights pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf, or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580. For North Carolina Residents: The North Carolina Attorney General can be contacted by mail at 9001 Mail Service Center, Raleigh, NC 27699-9001; toll-free at 1-877-566-7226; by phone at 1-919-716-6400, and online at www.ncdoj.gov. For Rhode Island Residents: The Rhode Island Attorney General can be reached at: 150 South Main Street, Providence, Rhode Island 02903, www.riag.ri.gov, 1-401-247-4400. Under Rhode Island law, you have the right to obtain any police report filed in regard to this incident. There are an unknown number of Rhode Island residents impacted by this incident.