Westat, INC.

Notice of Data Security Incident

Westat, Inc. (“Westat” or "We") provides a variety of data collection and management services to several organizations as part of the National Hospital Care Survey (“NHCS”). NHCS collects data on patient care in hospital-based settings to describe patterns of health care delivery and utilization in the United States (https://www.cdc.gov/nchs/nhcs/index.htm). Renown Health participates in and provides certain patient information to Westat for the purpose of collecting health care statistics related to public health. This notice is posted to make you aware of a data incident that may impact the privacy of your personal information we received in connection to our relationship with Renown Health the NHCS.

What Happened? Westat utilizes MOVEit Transfer (“MOVEit”) third-party software to manage data it collects and/or maintains on behalf of several organizations. On May 30, 2023, Westat detected unusual activity occurring in its MOVEit instance and later that day MOVEit announced a zero-day vulnerability that had impacted a large number of companies across various industries. A zero-day vulnerability is an undiscovered flaw in an application or operating system, a gap in security for which there is no defense or patch because the software maker does not know it exists—they’ve had “zero days” to prepare an effective response. When Westat detected the unusual activity on the MOVEit instance it immediately took steps to ensure the security of its environment, and with the assistance of third-party forensic specialists, conducted an investigation to determine the nature and scope of the activity. The investigation determined that certain data stored on the Westat server that hosted the MOVEit software may have been copied without authorization between May 28 and May 29, 2023. Westat conducted a detailed review of data involved to determine the type of information present and to whom it related. This review confirmed that Renown Health information was present in the impacted data and was accessed or acquired during the MOVEit incident.

What Information Was Involved? Data elements including demographic, clinical, and financial information were present in the impacted files. We have no evidence that any of your information was used for identity theft or fraud.

What We Are Doing We take this incident and the obligation to safeguard the information in our care very seriously. After discovering the incident, we promptly took steps to confirm our system security, and engaged with a third-party forensic specialist to assist in conducting a comprehensive investigation. Further, we have implemented all the software security patches provided by MOVEit to date. As an added precaution, we are offering 12 months of credit monitoring and identity restoration services through IDX, a ZeroFox Company.

What You Can Do. We encourage enrollment in credit monitoring and remain vigilant against incidents of identity theft and fraud by reviewing account statements and monitoring your free credit reports for suspicious activity and to detect errors over the next 12 to 24 months.

For More Information. If you have additional questions or concerns, please feel free to call us at 888-998-8671. We are available 9 am to 9 pm EST, Monday through Friday. You may also write to Westat at Westat, Inc., Attn: Kathy Chimes, 1600 Research Boulevard, Rockville, MD 20850.