Notification of TMG Health, Inc. Security Incident
VillageCareMAX (VillageCare) contracts with TMG Health, Inc. (TMG Health) to assist VillageCare with administering its members’ health plans. On September 19, 2025, TMG Health discovered that an unauthorized individual had access to personal and protected health information stored within its information system. TMG Health immediately terminated the individual’s access, secured the affected systems, and conducted a thorough internal investigation. It was determined that the unauthorized access took place from November 20, 2024, to September 19, 2025. TMG Health has since implemented technological and procedural enhancements designed to anticipate new risks and to strengthen controls across operations.
On November 14, 2025, it was determined that information involved in the incident included a limited number of VillageCare members’ name, as well as their social security numbers, member identification numbers, and health information.
Neither TMG Health nor VillageCare are aware of any reports of fraud or identity theft. Financial information, such as bank account or credit card numbers, was not involved in this incident. Out of an abundance of caution, individuals with impacted information are being offered complimentary identity theft protection services, including credit monitoring and ID theft recovery services.
TMG Health has established a dedicated and confidential call center to answer questions. The call center is staffed with professionals familiar with this incident and knowledgeable on what impacted individuals can do to protect against misuse of their information. The call center can be reached at 1-833-788-9712, Monday through Friday, 9 am to 9 pm, Eastern Time, excluding holidays.
Below are additional helpful tips for individuals to consider to protect their personal information:
Review your credit reports and report suspicious activity. We recommend that you remain vigilant by reviewing account statements and monitoring credit reports. Under federal law, you also are entitled every 12 months to one free copy of your credit report from each of the three major credit reporting companies. To obtain a free annual credit report, go to www.annualcreditreport.com or call 1-877-322-8228. You may wish to stagger your requests so that you receive a free report by one of the three credit bureaus every four months.
You also should promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities. If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact law enforcement, the Federal Trade Commission (“FTC”) and/or the Attorney General’s office in your home state. You can also contact them for information on how to prevent or avoid identity theft. The FTC can be contacted at:
Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue, NW
Washington, DC 20580
http://www.identitytheft.gov/
1-877-IDTHEFT (438-4338)
Place Fraud Alerts with the three credit bureaus. If you choose to place a fraud alert, we recommend you do this after activating your credit monitoring. You can place a fraud alert at one of the three major credit bureaus by phone and also via Experian’s or Equifax’s website. A fraud alert tells creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit. The contact information for all three bureaus is as follows:
Credit Bureaus
| Equifax Fraud Reporting 1-866-349-5191 P.O. Box 105069 Atlanta, GA 30348-5069 www.equifax.com | Experian Fraud Reporting 1-888-397-3742 P.O. Box 9554 Allen, TX 75013 www.experian.com | TransUnion Fraud Reporting 1-800-680-7289 P.O. Box 2000 Chester, PA 19022-2000 www.transunion.com |
It is necessary to contact only ONE of these bureaus and use only ONE of these methods. As soon as one of the three bureaus confirms your fraud alert, the others are notified to place alerts on their records as well. You will receive confirmation letters in the mail and will then be able to order all three credit reports, free of charge, for your review. An initial fraud alert will last for one year.
Please Note: No one is allowed to place a fraud alert on your credit report except you.
Security Freeze. By placing a security freeze, someone who fraudulently acquires your personal identifying information will not be able to use that information to open new accounts or borrow money in your name. You will need to contact the three national credit reporting bureaus listed above to place the freeze. Keep in mind that when you place the freeze, you will not be able to borrow money, obtain instant credit, or get a new credit card until you temporarily lift or permanently remove the freeze. There is no cost to freeze or unfreeze your credit files.
Additional information.
If you are the victim of fraud or identity theft, you have the right to file a police report.
You may consider starting a file with copies of your credit reports, any police report, any correspondence, and copies of disputed bills. It is also useful to keep a log of your conversations with creditors, law enforcement officials, and other relevant parties.
For more information on preventing identity theft, you can contact the following: NY Dept. of State Division of Consumer Protection at http://www.dos.ny.gov/consumerprotection or (800) 697-1220 or NYS Attorney General at http://www.ag.ny.gov/home.html or (800) 771-7755.
This notice is to advise VillageCareMAX members of a security incident that may have impacted their personal data. On March 18, 2025, VillageCareMAX was notified that our dental benefits administrator, Liberty Dental, was impacted by the Change Healthcare (“CHC”) security incident. CHC provides services to health care providers, health insurance plans and other companies, from which members may have received health services or coverage. Because CHC works as a vendor to health care providers and health insurance plans, personal information, including your health information, may have been impacted in this incident. We are posting this substitute notice to provide members with information about the security incident and to share resources available to individuals who believe their personal data was potentially impacted.
CHC has been reviewing information since the date of the original event and providing impacted health care providers, health insurance plans and other companies with notification of impact to their patients and/or members once identified. CHC is not aware of any misuse of any impacted individuals’ information as a result of the incident.
What happened?
On February 21, 2024, CHC found activity in their computer system that happened without their permission. They quickly took steps to stop that activity. CHC began an investigation and hired a special team to assist them in their review. They also contacted law enforcement and turned off their systems to help protect their customers and their customers’ patients/members.
On March 7, 2024, CHC was able to confirm that a cybercriminal was able to see and make copies of some of the data in their system. According to CHC this happened between February 17, 2024 and February 20, 2024.
On March 18, 2025, VillageCareMAX was notified that Liberty Dental had been impacted by the above-described security incident.
What information was involved?
The data that may have been seen and taken includes contact information (such as name, address, date of birth, phone number, and email) plus one or more of the following:
- Health insurance data (such as health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers)
- Health data (such as medical record numbers, doctors, diagnoses, medicines, test results, images, care, and treatment)
- Billing, insurance claims and payment data (such as claim numbers, account numbers, billing codes, payment cards, financial and banking, and balance)
- Other personal data (such as Social Security number, driver’s license or state ID number, or other ID number)
The data that may have been seen and taken was not the same for everyone. Some of the data may have been about the person who paid the bill for the health care services.
Why did this happen?
A cybercriminal accessed the CHC computer system without permission.
What is CHC doing?
CHC investigated the event and called law enforcement. They also made changes to their computer systems and implemented additional safeguards to ensure that this does not happen again. They are offering impacted members free credit monitoring and identity theft protection services and have offered to pay for the cost of these services for 2 years.
What you can do:
You can sign up for the above-referenced free credit monitoring and identity protection services. Make sure that your bills and accounts look correct. If you learn of a crime against you, you can file a report with law enforcement.
What if I have a question?
CHC has established a dedicated call center to offer additional resources and information to people who believe they may have been affected by this incident. If you have any questions or concerns, please call them toll-free at 1-866-262-5342, Monday through Friday, 8 a.m. to 8 p.m. CT. You can also go to www.changecybersupport.com and click the link to register online with IDX to enroll in free credit monitoring services. We are sorry for any concern this event may cause.
