Assisted Living Concepts notifying over 43,000 employees after hack of payroll database at vendor’s (update3)

Chicago-based Assisted Living Concepts, LLC and its subsidiaries own and/or operate 200 assisted living facilities in 20 states. ALC uses an external vendor to process its payroll for its employees.

On February 14, the vendor notified ALC that they had detected unauthorized access to ALC’s payroll database. Investigation revealed that ALC’s login credentials had been acquired and misused to gain access to the payroll database containing current and former employees’ names, addresses, birth dates, Social Security numbers, and pay information.

The unauthorized access occurred between December 14, 2013 and January 14, 2014, and affected 43,600 employees. The vendor was not named in ALC’s notification, and it is not clear whether the login credentials were obtained from someone at ALC via phishing or some other means, or whether they were obtained from someone on the vendor’s end.

ALC deactivated the compromised login credentials, took the payroll database offline, and notified the FBI and state authorities.

In letters that went out this week, ALC offered affected current and former employees free credit monitoring via Experian ProtectMyID.

You can read ALC’s notification to New Hampshire and affected employees on the New Hampshire Attorney General’s website, here (pdf).

Updates: The breach was also reported to Vermont residents and Maryland residents.

Update 3: On March 28, ALC notified New Hampshire that on March 13, they discovered that 7,810 dependents of current and former employees also had their information involved.

About the author: Dissent