Privacy Update

HealthEC (HEC), which works with TennCare and partner providers to better coordinate care for members, became aware of suspicious activity potentially involving its network and customers nationwide and promptly began an investigation. The investigation determined that certain systems were accessed by an unknown actor between July 14, 2023, and July 23, 2023, and during this time certain files were copied and held for ransom by the unknown actor. Once learning of the suspicious activity from HEC, TennCare immediately suspended operation of the Care Coordination Tool (CCT) and all other HEC functions.

Working with the Federal Bureau of Investigation and the Department of Homeland Security, HEC engaged a third-party vendor and undertook a thorough review of the systems and files in order to identify what specific information was present in affected files and to whom it relates. This review was completed in late October and confirmed a data breach of information relating to HEC's clients, including TennCare.

Once TennCare received confirmation of the breach from HEC, TennCare worked with HEC to identify and notify potentially impacted individuals. Notification to individuals identified as potentially impacted began within the required 60-day notification period – around December 22.

Additionally, address verification for some potentially impacted individuals was completed later and, therefore, those individuals continue to receive notifications.