On the morning of June 11, 2025, Albemarle County discovered issues with our IT systems and quickly determined that we were the victim of a ransomware incident. Ransomware is a type of malicious software that cybercriminals use to break into computer systems and lock up important data. Their goal is often to steal sensitive or personal information. Even with strong and up-to-date cybersecurity protections in place, these types of attacks are becoming more common.

When we discovered the incident, we immediately implemented security measures and engaged leading cybersecurity experts to assist in assessing and resolving the situation. Based on their investigation, it appears the incident began late in the afternoon on June 10, 2025, and was perpetrated overnight. During this time, information from our systems was inappropriately accessed and/or obtained by an unauthorized user. 

Through our investigation, we determined it is likely that the data of current and former local government and public school employees and their dependents, as well as other individuals, including county residents, those conducting business with the County, and individuals who applied for or received services from the County, was compromised. This data may include personal information, such as names, addresses, driver’s license numbers, Social Security numbers, passport numbers, military ID numbers, and state ID card numbers. 

As our investigation progressed, the County discovered on July 15, 2025, that information connected to the administration of Albemarle County’s self-insured health plan was involved in the incident. The self-insured plan supports current and former local government and public school employees and their dependents. It is important to note that this type of information is different than personal medical records. The information connected to the health plan relates to program administration such as eligibility and enrollment details. While some of these records may contain health details due to coverage of costs for insurance, no medical charts or other extensive personal health information were part of the data, since it was related to health insurance administration and not medical treatment from providers. 

The investigation has taken several months due to the high volume and complexity of the data involved within the compromised files, totaling approximately 185 gigabytes. Each of these files had to be scanned for viruses and reviewed to determine the scope of their contents and identify the individuals whose protected health information was affected by this event. Through this comprehensive review, we determined the compromised data of current and former local government and public school employees and their dependents related to the County’s self-insured health plan may include: full names, addresses, phone numbers, emails, social security numbers, dates of birth, employee and user ID numbers, healthcare ID numbers, account/patient ID numbers, health details related to the payment of care receive, invoice numbers for medical care received, the names of medical providers, the dates of medical services, billing and claim information, and health insurance information, including subscriber, beneficiary, policy, member and group numbers.  

The data that may have been accessed was not the same for everyone. Protected health information was compromised for current and former local government and public school employees and their dependents, not members of the general public. 

Immediately following the attack, Albemarle County notified state and federal law enforcement, including the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Cyber Fusion Center of the Virginia State Police. 

We are continuing to evaluate additional actions to strengthen our network security in the face of an ever-evolving cyberthreat landscape that is, unfortunately, increasing over time. We have carefully reviewed our system security and taken steps to strengthened our cybersecurity posture. Regarding any protected health information the county handles, we have reviewed our handling and storage of this information and modified our procedures to improve security and reduce potential access by unauthorized persons. We have engaged external expert guidance to evaluate our environment for HIPAA compliance and have implemented expanded training for County employees who handle sensitive information subject to HIPAA as part of their duties. 

Out of an abundance of caution, Albemarle County has arranged to provide complementary identity monitoring services, including credit monitoring, fraud consultation, and identity theft restoration, for those individuals with data potentially impacted by this incident, including all current and former local government and public school employees and their dependents, as well as residents, those who have conducted business with the County, and applied for or received services from the County. This is available to individuals of all ages who may have been impacted. We are providing this credit monitoring service at no cost for 12 months through Kroll, a global leader in identity risk mitigation and response. 

If you wish to take advantage of the free identity monitoring services, please contact Kroll directly at (866) 819-9798 to obtain these services. The deadline to register is March 17, 2026.

Please review the “Additional Resources” below. This information provides practical steps you can take to help protect yourself, including recommendations from the Federal Trade Commission regarding identity theft protection and details on placing a fraud alert or a security freeze on your credit file.

If you wish to take advantage of the free identity monitoring services, please contact Kroll directly at (866) 819-9798 to obtain these services. The deadline to register for services through Kroll is March 17, 2026. 

In addition, we strongly encourage current and former local government and public school employees, and their dependents, to take precautionary measures now to help prevent and detect any misuse of their personal health information. Some recommended steps include: 

• Closely monitoring any "Explanation of Benefits" or "EOB" sent by the plan to explain benefits paid by the plan to you or your medical providers. Contact the plan or your health care provider if they look suspicious or unfamiliar.
• Requesting a copy of your current medical records from each healthcare provider. Review them to make sure the information is familiar. Report any errors or suspicious information to your healthcare provider. 
• Asking your healthcare providers to provide a list of all the times your medical information has been shared and the reasons for sharing. Review the list and report any errors or suspicious information to your healthcare provider.
• Monitoring your financial accounts, including your flexible savings account or health savings account. If you see any unauthorized activity, contact your financial institution. 

Anyone potentially affected by this breach is encouraged to request a free credit report. You can obtain one from AnnualCreditReport.com, which is the only free resource authorized by the Fair Credit Reporting Act. The site is supported by the three major credit reporting companies: Equifax, Experian, and TransUnion. Even if you do not see any suspicious activity now, the Federal Trade Commission recommends checking your credit reports periodically. Your personal information may be held for use or shared among a group at different times, so checking your credit reports periodically can help you quickly identify problems. 

For more information or to ask questions about the breach and our commitment to protecting your information, contact us via phone at (434) 872-4572 or email to AskAQuestion@albemarle.org. 

We appreciate your understanding and patience.

Steps to Protecting Your Personal Information 

Review Your Account Statements and Obtain and Monitor Your Credit Report

As a precautionary measure, we recommend that you remain vigilant by regularly reviewing and monitoring account statements and credit reports to detect potential errors or fraud and identity theft resulting from the security incident. You may periodically obtain your free credit report from one or more of the national credit reporting companies. You may obtain a free copy of your credit report online at www.annualcreditreport.com, by calling toll-free 1‑877‑322‑8228, or by mailing an Annual Credit Report Request Form (available at www.annualcreditreport.com) to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. You may also purchase a copy of your credit report by contacting one or more of the three national credit reporting agencies listed below.

When you receive your credit reports, review them carefully. Look for accounts or creditor inquiries that you did not initiate or do not recognize. Look for inaccurate information, such as a home address and Social Security number. If you see anything you do not understand, call the credit reporting agency at the telephone number on the report.

Notify Law Enforcement of Suspicious Activity

You should promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, including local law enforcement, your state attorney general, and the Federal Trade Commission (FTC). To file a complaint with the FTC, use the below contact information or website.

The Federal Trade Commission

600 Pennsylvania Avenue, NW

Washington, DC 20580

1-877-ID-THEFT (1-877-438-4338)

TTY: 1-866-653-4261

www.IdentityTheft.gov

Complaints filed with the FTC will be added to the FTC’s Identity Theft Data Clearinghouse, which is a database made available to law enforcement agencies. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company which the account is maintained.

Credit Freezes

You have the right to put a security freeze, also known as a credit freeze, on your credit file, so that no new credit can be opened in your name without the use of a Personal Identification Number (PIN) that is issued when you initiate a freeze. A credit freeze is designed to prevent potential creditors from accessing your credit report without your consent. If you place a credit freeze, potential creditors and other third parties will not be able to access your credit report unless you temporarily lift the freeze. Therefore, using a credit freeze may delay your ability to obtain credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report. Should you wish to place a credit freeze, please contact all three major consumer reporting agencies listed below.

You must separately place a credit freeze on your credit file at each credit reporting agency. The following information should be included when requesting a credit freeze:

1. Your full name, with middle initial and any suffixes;
2. Your Social Security number;
3. Your date of birth (month, day, and year);
4. Your current address and previous addresses for the past five (5) years;
5. A copy of your state-issued identification card (such as a state driver’s license or military ID);
6. Proof of your current residential address (such as a current utility bill or account statement); and
7. Other personal information as required by the applicable credit reporting agency.

If you request a credit freeze online or by phone, then the credit reporting agencies have one (1) business day after receiving your request to place a credit freeze on your credit file report. If you request a lift of the credit freeze online or by phone, then the credit reporting agency must lift the freeze within one (1) hour. If you request a credit freeze or lift of a credit freeze by mail, then the credit agency must place or lift the credit freeze no later than three (3) business days after getting your request. More information regarding credit freezes can be obtained from the FTC and the major consumer reporting agencies.

Fraud Alerts

You also have the right to place an initial or extended fraud alert on your file at no cost. An initial fraud alert will stay on your credit file for one (1) year. The alert informs creditors of possible fraudulent activity within your report and requires the creditor to verify your identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting 7 years. Should you wish to place a fraud alert, please contact any one of the three major consumer reporting agencies listed above. The agency you contact will then contact the other two. More information regarding fraud alerts can be obtained from the FTC and the major consumer reporting agencies.

Monitor Your Personal Health Information

If applicable to your situation, we recommend that you regularly review the explanation of benefits statement that you receive from your insurer. If you see any service that you believe you did not receive, please contact your insurer at the number on the statement. If you do not receive the regular explanation of benefits statements, contact your provider and request them to send such statements following the provision of services in your name or number. You may want to order copies of your credit reports and check for any bills that you do not recognize. If you find anything suspicious, call the credit reporting agency at the phone number on the report. Keep a copy of this notice for your records in case of future problems with your records.

Additional Resources and Information

You can obtain additional information and further educate yourself regarding identity theft and the steps you can take to protect yourself by contacting your state attorney general or the FTC. The FTC’s contact information and website for additional information is:

The Federal Trade Commission

600 Pennsylvania Avenue, NW

Washington, DC 20580

1-877-ID-THEFT (1-877-438-4338)

TTY: 1-866-653-4261

www.ftc.gov/idtheft

For Virginia residents: You may contact the Virginia Attorney General’s Office at 202 North Ninth Street, Richmond, VA 23219; 1-804-786-2071; or https://www.oag.state.va.us/contact-us/contact-info.

For Connecticut residents: You may contact the Connecticut Office of the Attorney General at 165 Capitol Avenue, Hartford, CT 06106; 1-860-808-5318; or https://portal.ct.gov/ag.

For District of Columbia residents: You may contact the Office of the Attorney General for the District of Columbia at 400 6th Street, NW, Washington, DC 20001; 1-202-727-3400; or https://oag.dc.gov/consumer-protection/consumer-alert-online-privacy.

For Iowa residents: You may contact law enforcement or the Iowa Attorney General’s Office to report suspected incidents of identity theft. The Iowa Attorney General’s Office can be reached at 1305 E. Walnut Street, Des Moines, IA 50319; 1‑515‑281‑5164; or www.iowaattorneygeneral.gov.

For Maryland residents: You may contact the Maryland Office of the Attorney General, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202; 410-576-6300; 1-888-743-0023 (toll free), or https://www.marylandattorneygeneral.gov/Pages/contactus.aspx.

For Massachusetts residents: You may contact the Office of the Massachusetts Attorney General at 1 Ashburton Place, Boston, MA 02108; 1-617-727-8400; or https://www.mass.gov/orgs/office-of-the-attorney-general. You have the right to obtain a police report if you are a victim of identity theft.

For New Mexico residents: You have rights under the federal Fair Credit Reporting Act (“FCRA”). These include, among others, the right to know what is in your credit file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit

https://files.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf or ww.ftc.gov.

For New York residents: The Attorney General may be contacted at: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; 1-800-771-7755; or https://ag.ny.gov/. You may also contact the Bureau of Internet and Technology (BIT) at 28 Liberty Street, New York, NY 10005; 212‑416‑8433; or https://ag.ny.gov/about/about-office/economic-justice-division#internet-technology.

For North Carolina residents: The North Carolina Attorney General’s Office may be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; 919-716-6400; or https://ncdoj.gov/contact-doj/.

For Oregon residents: We encourage you to report suspected identity theft to the Oregon Attorney General at 1162 Court Street NE, Salem, OR 97301; 1‑877‑877‑9392; 1‑503‑378‑4400; or www.doj.state.or.us.

For Rhode Island residents: You may contact the Rhode Island Office of the Attorney General at 150 South Main Street, Providence, RI 02903; 1-401-274-4400; or https://riag.ri.gov/. You have the right to obtain a police report if you are a victim of identity theft. No Rhode Island residents were impacted by this breach.

Q:  What happened?

A:  Albemarle County was the victim of a ransomware incident. Ransomware is a type of malicious software that cybercriminals use to break into computer systems and lock up important data. Their goal is often to steal sensitive or personal information. Even with strong and up-to-date cybersecurity protections in place, these types of attacks are becoming more common.

Q: When did the event occur?

A:  The incident began in the late afternoon on June 10, 2025, was perpetrated overnight, and was discovered by Albemarle County on the morning of June 11, 2025. 

Q:  What kind of information was exposed in this event?

A: Evidence indicates that only data from the local servers was involved in the incident. There is no indication that any data held on cloud-based systems was compromised. 

Q:  Why has it taken so long to notify me?

A:  Thanks to the quick response of Albemarle County’s IT Department, their systems were rapidly secured and were restored to normal. Albemarle County immediately notified local law enforcement officials and launched an investigation into the incident. The investigation included a review of internal security systems to confirm that procedures already in place are strengthened to further safeguard against a breach of data security in the future. 

The complete investigation has taken several months due to the high volume and complexity of the data involved within the compromised files, totalling approximately 185 gigabytes. The files had to be scanned for viruses and reviewed to understand the scope of what they contained and determine the identities of the individuals impacted by this event. 

Q:  What is Albemarle County doing in response to the event?

A:  Albemarle immediately activated its security protocols, enlisted the support of top cybersecurity experts, and alerted state and federal law enforcement to the ransomware attack. 

Albemarle has reviewed how it handles and stores protected health information and has modified its procedures to improve security and reduce potential access by unauthorized persons. Albemarle brought in outside expert guidance to evaluate its environment for compliance with HIPAA regulations and has implemented expanded training for County employees who handle sensitive information subject to HIPAA as part of their job duties. 

Q:  What is Albemarle County doing to prevent similar events from happening in the future?

A:  Albemarle has carefully reviewed its system security and has taken steps to further strengthen protections going forward. The County will continue to evaluate additional actions necessary to strengthen its network security as advised by the cybersecurity experts enlisted to assist with the response.

Albemarle has reviewed how it handles and stores protected health information and has modified its procedures to improve security and reduce potential access by unauthorized persons. Albemarle brought in outside expert guidance to evaluate its environment for compliance with HIPAA regulations and has implemented expanded training for County employees who handle sensitive information subject to HIPAA as part of their job duties.

Q:  What Services am I being offered?

A: Albemarle County has arranged for 12 months of complimentary identity monitoring for individuals whose data may have been potentially compromised by this incident, which includes Credit Monitoring, Identity Theft Insurance, and Identity Restoration.