Frequently Asked Questions

  1. What happened?

    On April 21, 2020, CodeMetro systems suffered a ransomware attack, which was detected within hours of its deployment. Upon discovery, CodeMetro took immediate steps to contain the threat and engaged a third-party forensic firm to investigate the incident and assist with remediation efforts. CodeMetro also notified federal law enforcement authorities of the incident.

    CodeMetro’s investigation has found that prior to deploying the ransomware, the criminals were able to access a database server and deploy tools to copy and remove some data. The database server contained health-related patient information and employee payroll information.

    Back To Top
  2. Who is CodeMetro and why do they have my data?

    CodeMetro provides software solutions such as NPAWorks to applied behavior analysis providers. These applied behavior analysis providers may have used CodeMetro services that involved patient and/or employee information.

    Back To Top
  3. Was my provider/employer impacted?

    We notified all providers/employers whose employees’ or patients’ information may have been involved of the incident by letter dated May 29, 2020.

    Back To Top
  4. What personal information was involved?

    The patient information may have included:

    1. Information to identify and contact the patient (such as patient name, patient picture, parent/legal guardian name, guarantor name, address, email address, phone number, date of birth, gender, and ethnicity);
    2. School information (such as school name, Individualized Education Program (IEP) start and review dates, assessment and psychological evaluation dates, and eligibility type (type of behavioral or developmental condition or impairment));
    3. Health insurance information (such as payer name, payer contract dates, policy information including type and deductible amount, and policy ID number); and
    4. Medical information (such as dates of enrollment with an ABA provider’s services, authorized services, allotted time/number of sessions, diagnostic codes and modifiers, charge/reimbursement rates, outcomes, and provider names).

    Please note that the data fields that may have been impacted depend on the provider and not all data fields may have been involved for all individuals. If the patient is covered under TRICARE, the health insurance ID number may be a guarantor/legal guardian’s Social Security number.

    The employee information may have included name, address, Social Security number, driver’s license number, and date of birth.

    Back To Top
  5. Was my information was involved?

    We have attempted to notify by letter the individuals whose information may have been involved in this incident. If you are affected by this incident, it is possible the letter has not yet arrived. It is also possible that your information was not involved in this incident. If you were not affected by this incident, you will not receive a letter. In the event you do not receive a notice but think your data may have been impacted, a notice has been posted on this website that can provide more information.

    Back To Top
  6. Why wasn’t I notified earlier?

    As soon as CodeMetro discovered the incident, the company promptly launched a forensic investigation, contacted law enforcement, and took steps to remediate the incident. It was important that we accurately understood what happened and properly identified who was affected.

    Back To Top
  7. What are you doing in the future to protect the security of my information?

    CodeMetro takes data security incidents very seriously and has worked to implement the necessary steps to ensure the continued protection of data. In response to this incident, CodeMetro also enhanced its security and monitoring as well as hardened systems to minimize the risk of any similar incident in the future. CodeMetro has also arranged to offer credit monitoring for a period of one year, at no cost to those individuals whose Social Security numbers or driver’s license numbers may have been involved.

    Back To Top
  8. Are you providing credit monitoring services?

    If your Social Security number or driver’s license number was potentially impacted, we are offering you complimentary credit monitoring services. For more information about these services and instructions on how to activate the membership, please follow the steps included in the letter sent to you.

    Even if your Social Security number or driver’s license number was not potentially impacted, you may obtain a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting companies. To order your free annual credit report, visit, call toll-free at 1-877-322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s (“FTC”) website at and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. The three credit bureaus provide free annual credit reports only through the website, toll-free number or request form.

    Back To Top
  9. What steps can I take to protect myself?

    We encourage you to remain vigilant in monitoring your account statements for any unusual or unauthorized activity, and to promptly report such incidents to your health care provider, insurer or company with which the account is maintained. The Reference Guide also contains general steps you can take to monitor and protect your personal information.

    Back To Top
  10. Who can I call if I have questions?

    Please call 1-855-907-2106 (Toll-Free) to ask questions and learn additional information. This call center is open 9:00 a.m. to 9:00 p.m. ET, Monday through Friday, except holidays.

    Back To Top