An unauthorized third party potentially accessed names, dates of birth and, in some cases, Social Security numbers and personal health information, Elmcroft said
An unauthorized third party potentially accessed names, dates of birth and, in some cases, Social Security numbers and personal health information, Elmcroft said

The personal information of Elmcroft Senior Living residents and their family members, employees and others could have been stolen in a data breach that occurred in mid-May, the Louisville, KY-based company said late Friday in a press release.

An unauthorized third party potentially accessed names, dates of birth and, in some cases, Social Security numbers and personal health information, Elmcroft said. The company did not specify the number of people who could have been affected.

In January, Elmcroft ceased managing a portfolio of more than 70 facilities bearing its name and offering assisted living, independent living, memory care, skilled nursing or inpatient hospital rehabilitation. The properties continue to be operated under the Elmcroft Senior Living name, but by Portland, OR-based Eclipse Senior Living, also referred to as ESL.

The company known as Elmcroft Senior Living is now in “wind-down” mode, Zach Olsen of Infinite Global Consulting, speaking on behalf of Elmcroft, told McKnight's Senior Living.

Elmcroft said it believes the data security incident started May 10 and said the company became aware of it on May 12, at which time it terminated the third party's access. Elmcroft executives don't believe they know the third party involved in the incident, he said.

Olsen originally said the breach was thought to have occurred while Elmcroft was transferring information from its computer servers to the servers of the new operator. On June 11, however, he said that the breach was unrelated to Eclipse Senior Living's copying of Elmcroft data to allow it to continue managing the Elmcroft portfolio without interruption. That data transfer was completed by April 12.

“The company has notified local and federal law enforcement agencies and is cooperating with those entities as they investigate the incident,” Louisville, KY-based Elmcroft said in its press release. The California attorney general's office said it was notified June 1.

In a notification letter to those who may have been affected by the breach, posted on the California attorney general's website, Elmcroft said it “is committed to making every reasonable effort to safeguard your personal information.”

The company is offering one year of identity monitoring services — including credit monitoring, $1 million in identity fraud loss reimbursement, fraud consultation and identity theft restoration — to those who may have been affected.

The company also has set up a telephone line, (833) 221-9231, for those who may have been affected. The line is open weekdays from 8 a.m. to 5 p.m. central time. Those who call should be ready to provide the membership number that was included in the notification letter they received.

Updated June 11, 2018, to include additional information about Eclipse.