Data Incident - Kitsap Mental Health Services

Notice of Data Incident

Updated May 14, 2025

What Happened?

On October 17, 2024, during routine monitoring of our systems, Kitsap Mental Health Services (“KMHS” or “we”) detected suspicious activity in our business network. We immediately began an investigation and took steps to contain and remediate the situation, including by changing passwords, deploying tools for increased monitoring, reporting to law enforcement, and engaging data security and privacy experts to assist.

The investigation found evidence that on September 17, 2024, and between October 8, 2024 and October 19, 2024, an unauthorized actor accessed some KMHS systems and downloaded data, which included personal information. There is currently no evidence of identity theft or fraud in connection with this incident.

What Information Was Involved?

Based on the findings of the investigation, the following types of information may have been impacted: name, date of birth, Social Security number, driver’s license or state identification number, passport number, username and password information, medical record number, Medicaid number, Medicare number, patient account number, health insurance account member number, medical diagnosis information, medical treatment/procedure information, clinical information, prescription information, provider location, and provider name.

Note that this describes general categories of information that we believe may be present within the affected systems during the incident and includes categories that are not relevant to each individual whose information may have been present.

What We Are Doing

Upon becoming aware of the incident, we immediately implemented measures to further improve the security of our systems and practices, including implementing endpoint detection and response monitoring.  After determining that an unauthorized actor gained access to our systems, we immediately began analyzing the information involved to confirm the identities of potentially affected individuals and notify them.  The KMHS team has worked diligently to complete our investigation, add further technical safeguards to our existing protections, and bring systems back online as quickly and securely as possible.  We continue to work with leading privacy and security firms to aid in our response, and we reported this incident to relevant government agencies.

What Can Impacted Individuals Do?

Out of an abundance of caution, KMHS encourages individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and to monitor free credit reports for suspicious activity and to detect errors. Under U.S. law, individuals are entitled to one (1) free credit report annually from each of the three (3) major credit reporting bureaus. Additional information and resources are outlined below.

If you have questions for KMHS, you can call us toll-free at 855-549-2618, Monday through Friday from 6:00 a.m. to 6:00 p.m. Pacific Time (excluding U.S. holidays). You can also contact us by email at compliance@kmhs.org, or by mail to 5455 Almira Drive NE, Bremerton, WA 98311, Attention: Compliance.

Steps You Can Take to Protect Your Personal Information

To obtain a free credit report, individuals may visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228.

Alternatively, affected individuals can contact the three (3) major credit reporting bureaus directly at the addresses below:

Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111

Experian, PO Box 2104, Allen, TX 75013, www.experian.com, 1-888-397-3742

TransUnion, PO Box 2000, Chester, PA 19022, www.transunion.com, 1-800-888-4213

Free Credit Report.  It is recommended that you remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your credit report for unauthorized activity.  You may obtain a copy of your credit report, free of charge, once every twelve (12) months from each of the three (3) nationwide credit reporting agencies.

To order your annual free credit report please visit www.annualcreditreport.com or call toll free at 1-877-322-8228.

You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available from the U.S. Federal Trade Commission’s (“FTC”) website at www.consumer.ftc.gov) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.

Fraud Alert. You may place a fraud alert in your file by calling one of the three (3) nationwide credit reporting agencies above.  A fraud alert tells creditors to follow certain procedures, including contacting you before they open any new accounts or change your existing accounts.  For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit.

Security Freeze.  You may obtain a security freeze on your credit report, free of charge, to protect your privacy and ensure that credit is not granted in your name without your knowledge.  You may also submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft.  You have a right to place a security freeze on your credit report, free of charge, or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act.

The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.  The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent.  When you place a security freeze on your credit report, you will be provided with a personal identification number, password, or similar device to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report to a specific party or parties or for a specific period of time after the freeze is in place.

To place a security freeze on your credit report, you may be able to use an online process, an automated telephone line, or a written request to any of the three (3) credit reporting agencies listed above.  The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles.  The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement.  It is essential that each copy be legible, and display your name, current mailing address, and the date of issue.

Federal Trade Commission and State Attorneys General Offices.  If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your home state.  You may also contact these agencies for information on how to prevent or avoid identity theft. Contact information for the Consumer Response Center of the Federal Trade Commission is 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/bcp/edu/microsites/idtheft/ or 1-877-IDTHEFT (438-4338).

Protecting Medical Information

If you are concerned about protecting your medical information, the following practices can provide additional safeguards to protect against medical identity theft.

Only share your health insurance cards with your health care providers and other family members who are covered under your insurance plan or who help you with your medical care.
Review your “explanation of benefits statement” which you receive from your health insurance company. Follow up with your insurance company or care provider for any items you do not recognize. If necessary, contact the care provider on the explanation of benefits statement and ask for copies of medical records from the date of the potential access (noted above) to current date.
Ask your insurance company for a current year-to-date report of all services paid for you as a beneficiary. Follow up with your insurance company or the care provider for any items you do not recognize.

7:00 AM	Shift begins; check in with night shift to ensure continuity for ongoing cases
8:00 AM	Outreach presentation to regional high school counselors
8:55 AM	Drive to a South Kitsap middle school for a “warm hand-off” of youth to new support services
9:20 AM	Receive call from a Central Kitsap middle school counselor on the way to South Kitsap
9:35 AM	In South Kitsap, meet with a youth’s mom, dad, school support staff and new school-based WISe intensive support team to discuss care for young person whose behaviors have led to severe weight loss; resolution includes therapy for the youth and an appointment at Kitsap Resolution Center for parents to work on co-parenting skills
11:20 AM	Lunch
12:00 PM	Answer emails and enter progress notes in client charts
1:20 PM	Follow up with a client by phone
1:40 PM	Follow up with a client at the Crisis Triage Center
2:15 PM	Drive to a Central Kitsap middle school to provide support with school counselor for youth who is drawing pictures that indicate suicidal thoughts; refer to WISe intensive support team
4:35 PM	Answer crisis call with adult who tried to suffocate themself; talk to paramedics and caller’s family; client is taken to St. Michael Medical Center
5:55 PM	Follow up with a youth’s parents to offer resources covered by their insurance
7:00 PM	Shift ends

Donations	$57,706
Investment Income	$2,350,966
Medicaid Managed Care	$40,516,387
Other Contracts/Misc	$16,788,859
Private Fee/Insurance	$439,572
Total	$60,153,490

24/7 Evaluation & Treatment, Residential, Supported Housing	$12,105,599
Adult Services	$16,363,069
Child & Family Services	$10,222,802
Emergency Services	$5,106,174
General & Administrative	$13,284,787
Total	$57,082,431

Notice of Data Incident

Stay Up to Date with KMHS