River City Insurance Group d/b/a Lavinder Group & Associates Provides Notice of Data Security Incident

River City Insurance Group d/b/a Lavinder Group & Associates (“Lavinder Group”) is an insurance brokerage company vendor that provides services to certain insurance carriers on behalf of their employer located in Danville, Virginia. Lavinder Group is providing notice that it experienced a cybersecurity incident that may involve the personal and protected health information of some individuals. As such, Lavinder Group sent notification of this incident to potentially impacted individuals and is providing resources to assist them.  Lavinder Group sincerely regrets any inconvenience that this incident may cause and remains dedicated to protecting all personal and health information.

Although we have no evidence that anyone’s personal information has been misused, Lavinder Group is providing details about the events, steps that we are taking in response, and resources available to individuals to protect against the potential misuse of their information.  Out of an abundance of caution, Lavinder Group has provided individual notifications to potentially impacted persons but is providing this notice for anyone for whom we do not have a current mailing address. 

What Happened:

Sometime in November 2020, Lavinder Group became aware of a potential business email compromise when we received numerous emails from individuals informing that they received suspicious emails from a Lavinder Group employee. Lavinder Group quickly engaged a third-party professional cybersecurity forensics team on November 4, 2020 to conduct a thorough investigation into our entire email tenant. On December 23, 2020, the investigation determined that an unknown party did gain unauthorized access to one Lavinder Group employee’s email account. Lavinder Group engaged a data mining vendor on February 2, 2021 to determine if the email account contained sensitive information. On May 10, 2021, the data mining activity concluded that sensitive information was stored in the impacted email account. On or around December 3, 2021, Lavinder Group received information identifying individuals whose information may have been exposed.  Lavinder Group reviewed this information internally to verify the names and addresses of potentially impacted parties.  In addition, Lavinder Group obtained the services of a vendor to mail the notice, provide credit monitoring services, and set up a call center.  Lavinder Group has also implemented a number of new security measures discussed below to prevent a similar incident from occurring.

 What Information Was Involved:

The investigation confirmed that sensitive information contained in the employee account may have been subject to unauthorized access.  The sensitive information contained in the account was limited to name, Social Security Number, Driver’s License or State ID Number, Financial Account Information, limited medical information, and/or health insurance information. Please note that not all data elements were present for every individual. 

What We Are Doing:

Lavinder Group takes the security of sensitive information very seriously, and has taken steps to prevent a similar event from occurring in the future. Since the incident, Lavinder Group is continuing to enhance security measures and providing cyber security training for our staff; implementing Endpoint Detection and Response (EDR) and Managed Detection and Response (MDR) software throughout the environment; encrypting local machines and emails; migrating data to Azure; implementing email spam filter and DNS filtering; implementing Dark Web monitoring; implementing firewall management; and implementing Multi Factor Authentication on email and Office 365.

The notification letter to the potentially impacted individuals includes steps that they can take to protect their information. In order to address any concerns and mitigate any exposure or risk of harm following this Incident, Lavinder Group has arranged for complimentary credit monitoring services and identity theft protection services to all potentially impacted individuals at no cost to them for a period of twelve (12) months. Lavinder Group recommends that individuals enroll in the services provided and follow the recommendations contained within the notification letter to ensure their information is protected. 

What You Can Do:

As a precautionary measure, Lavinder Group recommends that individuals remain vigilant by closely reviewing their account statements and credit reports.  If individuals detect any suspicious activity on an account, Lavinder Group strongly encourages individuals to promptly notify their financial institution.  In addition, individuals should may report any fraudulent activity or any suspected incident of identity theft to law enforcement, their State Attorney General, and/or the Federal Trade Commission (FTC).  To file a complaint or to contact the FTC, you can (1) send a letter to the Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue NW, Washington, D.C.; or (2) go to IdentityTheft.gov/databreach; or (3) call 1-877-ID-THEFT (877-438-4338).  Complaints filed with the FTC will be added to the FTC’s Identity Theft Data Clearinghouse, a database made available to law enforcement agencies.

Lavinder Group also encourages individuals to review the addendum to this notice titled “Additional Important Information” outlining additional steps they can take to protect their information.

For More Information:

For individuals seeking more information about the incident, please call Lavinder Group’s dedicated toll-free helpline at (855)-482-1583, Monday – Friday, 9:00 a.m. to 6:30 p.m., excluding major U.S. holidays.

Once again, Lavinder Group remains committed to protecting individual information and sincerely apologizes for this incident and any inconvenience it may cause.

Sincerely,

River City Insurance Group, Inc DBA Lavinder Group & Associates

 

Additional Important Information

For residents of Hawaii, Michigan, Missouri, Virginia, Vermont, and North Carolina: It is recommended by state law that you remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and monitoring your credit report for unauthorized activity.

For residents of Illinois, Iowa, Maryland, Missouri, North Carolina, Oregon, and West Virginia:
It is required by state laws to inform you that you may obtain a copy of your credit report, free of charge, whether or not you suspect any unauthorized activity on your account.  You may obtain a free copy of your credit report from each of the three nationwide credit reporting agencies.  To order your free credit report, please visit www.annualcreditreport.com, or call toll-free at 1-877-322-8228.  You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available at https://www.consumer.ftc.gov/articles/0155-free-credit-reports) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281.


For residents of Iowa:

State law advises you to report any suspected identity theft to law enforcement or to the Attorney General.


For residents of Oregon:

State laws advise you to report any suspected identity theft to law enforcement, including the Attorney General, and the Federal Trade Commission.


For residents of Arizona, Colorado, Maryland, Rhode Island, Illinois, New York, and North Carolina:

You can obtain information from the Offices of the Attorney General and the Federal Trade Commission about fraud alerts, security freezes, and steps you can take toward preventing identity theft.
Maryland Office of the Attorney General Consumer Protection Division 200, St. Paul Place Baltimore, MD 21202 1-888-743-0023 www.oag.state.md.us
Rhode Island Office of the Attorney General Consumer Protection 150 South Main Street, Providence RI 02903 1-401-274-4400 www.riag.ri.gov
North Carolina Office of the Attorney General Consumer Protection Division, 9001 Mail Service Center Raleigh, NC 27699-9001 1-877-566-7226 www.ncdoj.com
Federal Trade Commission Consumer Response Center, 600 Pennsylvania Ave, NW Washington, DC 20580 1-877-IDTHEFT (438-4338) www.ftc.gov/idtheft
New York Office of Attorney General Consumer Frauds & Protection, The Capitol Albany, NY 12224 1-800-771-7755 https://ag.ny.gov/consumer-frauds/identity-theft
Colorado Office of the Attorney General Consumer Protection 1300 Broadway, 9th Floor, Denver, CO 80203 1-720-508-6000 www.coag.gov
Arizona Office of the Attorney General Consumer Protection & Advocacy Section, 2005 North Central Avenue, Phoenix, AZ 85004 1-602-542-5025
Illinois Office of the Attorney General Consumer Protection Division 100 W Randolph St., Chicago, IL 60601 1-800-243-0618 www.illinoisattorneygeneral.gov


For residents of Massachusetts: It is required by state law that you are informed of your right to obtain a police report if you are a victim of identity theft
For residents of all states:

Fraud Alerts: You can place fraud alerts with the three credit bureaus by phone and online with Equifax (https://assets.equifax.com/assets/personal/Fraud_Alert_Request_Form.pdf); TransUnion (https://www.transunion.com/fraud-alerts); or Experian (https://www.experian.com/fraud/center.html).  A fraud alert tells creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts.  For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit.  As of September 21, 2018, initial fraud alerts last for one year. Victims of identity theft can also get an extended fraud alert for seven years.  The phone numbers for all three credit bureaus are at the bottom of this page.
Monitoring: You should always remain vigilant and monitor your accounts for suspicious or unusual activity.
Security Freeze: You also have the right to place a security freeze on your credit report.  A security freeze is intended to prevent credit, loans, and services from being approved in your name without your consent.  To place a security freeze on your credit report, you need to make a request to each consumer reporting agency.  You may make that request by certified mail, overnight mail, regular stamped mail, or by following the instructions found at the websites listed below.  The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse or a minor under the age of 16, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles.  The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement.  It is essential that each copy be legible, display your name and current mailing address, and the date of issue.  As of September 21, 2018, it is free to place, lift, or remove a security freeze.  You may also place a security freeze for children under the age of 16.  You may obtain a free security freeze by contacting any one or more of the following national consumer reporting agencies:
Equifax Security Freeze                                                                    Experian Security Freeze                                TransUnion (FVAD)
P.O. Box 105788                                                       P.O. Box 9554                                      P.O. Box 2000
Atlanta, GA 30348                                                  Allen, TX 75013                                 Chester, PA 19022
800-525-6285                                                            888-397-3742                                      800-680-7289

More information can also be obtained by contacting the Federal Trade Commission listed above.