September 8, 2023
Dear Clients,
For more than 55 years, North Penn Legal Services has been honored to serve as our region’s legal aid resource for low-income individuals and groups. We have provided civil legal assistance, including free legal representation, education and self-help materials for countless members of our community over the years.
Unfortunately, I write today to make you aware of a data security incident that occurred in late 2022, impacting our network-based operational systems. After a detailed review, we have determined that certain data was inappropriately accessed from our systems. This data included some of your personal information. We have since resolved this incident and believe it no longer poses a risk.
What happened?
After a detailed internal review, we have confirmed that North Penn Legal Services experienced a malware-related data security incident that occurred with our local network data systems in October 2022. The impacted systems included our phone system and files stored on our local network. Our client case management system was not impacted, as those files are stored on a cloud-based service not accessed in this incident.
We engaged data security and privacy experts to assist us with this incident, working to identify the source of the cyberattack and limit the spread of the inappropriately accessed data. We believe those efforts have been successful and have received confirmation that the inappropriately accessed data is no longer at risk of further dissemination.
Although we were able to quickly limit the risk from this incident, the investigation to determine the data that was accessed took an extended period of time. Our data security experts undertook a lengthy investigation to determine the specific data that was accessed. Unfortunately, despite those efforts, we were unable to identify individual-specific data that was inappropriately accessed during this incident. For this reason, we are issuing this broad notification to alert you that some of your personal information may have been accessed by unauthorized third parties during this incident.
What information was involved?
Based on our investigation, we have confirmed that personal data of current and former clients was accessed inappropriately during this incident.
Some individuals’ names, addresses and Social Security numbers were accessed. In some cases, only certain data was accessed, such as Social Security numbers with no corresponding names or individuals’ names with no addresses. As a result, we are unable to provide you with a detailed accounting of your personal information that may have been accessed during this incident.
How is North Penn Legal Services responding?
We take data security and privacy very seriously. That is why we engaged a third-party cybersecurity company to conduct a thorough and extensive forensic investigation. We immediately took steps to strengthen our online privacy measures. We also have taken steps to ensure the information that was accessed will not be further disseminated.
We therefore believe our systems are again safe and secure for our clients.
What can you do?
Although we have no reason to believe financial information was accessed in this incident, we recommend you review your credit card and bank information, including your statements and charges. If you believe there is an unauthorized charge on your payment card, please notify the relevant payment card company by calling the number on the back of the card. Under federal law and card company rules, customers who notify their payment card company in a timely manner upon discovering fraudulent charges will not be responsible for those charges.
You may also choose to order a free credit report. If you are a U.S. resident, federal law gives you the right to obtain a free copy of your credit report every 12 months from each of the three nationwide consumer reporting agencies. To order your free credit report, visit www.annualcreditreport.com or call toll-free at 1-877-322-8228.
Our Commitment to You
We are a mission-focused organization. We take our responsibility to you and our community seriously. That is why we wanted to notify you of this incident and reassure you that we have successfully resolved it. Thank you for your trust and confidence. Know that we do not take it for granted.
If you have any questions or concerns about this issue, please feel free to contact us at datasecurity@nplspa.org.
Sincerely,
Lori A. Molloy, Esq.
Executive Director
