FAQs regarding the Commissioned Corps Management Information System

This entry was posted in Readiness on by

Dear current, former, and retired Commissioned Corps Officers,

 

We are reaching out regarding the web-based Commissioned Corps Management Information System (CCMIS). Specifically, we are making progress in our investigation and will be bringing part of the system securely back online to process payroll during the week of October 17. When access to CCMIS is fully restored for use by officers, we will notify you via email.

 

Additionally, we have updated the FAQs on this issue, pasted below and available at http://www.surgeongeneral.gov/ccinfo, to reflect additional questions we have received from you. Thank you to those of you who have contributed questions and feedback so far. If you have questions you would like to see answered as part of the FAQs or if you have additional feedback, we encourage you to use the dedicated email address for this issue: CCinfo@hhs.gov.

 

As promised, as the investigation proceeds and we learn more, we will continue to communicate with you regularly to share new information, including by updating the FAQs.

 

Sincerely,

 

 

Karen B. DeSalvo, MD, MPH, MSc                                             Vivek H. Murthy, M.D., M.B.A

Acting Assistant Secretary for Health                                      Vice Admiral, USPHS

U.S. Surgeon General

 

 

 

Frequently Asked Questions about the Commissioned Corps Management Information System

 

  1. Who is affected?

We received questions from people in specific circumstances trying to confirm whether they are affected by this issue, including: “Does this apply to civil servant supervisors of Commissioned Officers who are responsible for granting leave? If I served in the Corps over 20 years ago, is it likely that my data was compromised? How will I know if I or my family member was I impacted by this issue?”

  1. The issue relates to an application on a website that exclusively serves the Commissioned Corps and their unique needs, and the database contains Personally Identifiable Information (PII) information related to current, retired, and former Commissioned Corps officers and their dependents. We are still investigating what types of PII were involved, but at this point we have evidence that unauthenticated users could access names, Social Security numbers, and dates of birth. We are currently working to assess how individuals might be affected and we will continue to communicate with you as we have additional information to share. We will also be adding to these frequently asked questions based on inquiries we receive and invite you to submit your queries to CCinfo@hhs.gov.

 

  1. If I did not receive an email, does that mean I am not affected?
  2. Through our email on October 3, we intended to reach as many Corps officers as possible who may have been affected, but we were only able to send email notifications to current, former, and retired Corps officers who have a current email address on file with us. If you did not receive an email and would like to be added to our email list, please send a request to CCinfo@hhs.gov.

 

  1. How should I manage my human resources responsibilities while the system is down?

We received several questions regarding specific human resources (HR) needs, including the impact on Commissioned Officer’s Effectiveness Reports (COERS) and promotions, submitting leave requests, vaccination records, documentation of career counseling, and other documents into your eOPF, and processing personnel orders including onboarding, transfers, and retirement.

  1. We will be bringing part of the Commissioned Corps Management Information System (CCMIS) securely back online to process payroll during the week of October 17. When access to CCMIS is fully restored for use by officers, we will notify you via email. Currently, we are evaluating options for changing affected personnel requirement deadlines and timelines, and we are working to expeditiously address time-sensitive requests. Officers will not be penalized for missing any document submission deadline due to inaccessibility of the current system. When the system is back online, we will notify you via email. We appreciate your patience. At this time, if you have questions, we encourage you to use the dedicated email address we have established for this issue: CCinfo@hhs.gov.

 

  1. I understand that because the Commissioned Corps Management Information System (CCMIS) is currently offline, transfer orders must be processed manually and they may take longer to receive. Will this impact dates already agreed upon by the leaving and receiving supervisors? If so, how will an officer be notified of the change?
  2. If you have a time-sensitive issue regarding transfer orders, please submit a description of your situation, along with your preferred contact information, to CCinfo@hhs.gov. We will be in touch with you as quickly as possible.

 

  1. How can I access the information resources such as protocols, guidance documents, training modules, and my previous COERs that are available through CCMIS while the system is offline?
  2. If you have a time-sensitive need to access Commissioned Corps protocols and guidance documents, please submit your request to CCinfo@hhs.gov. We will be in touch with you as quickly as possible.

 

  1. Will this impact my readiness status?
  2. You will not be able to access your readiness data until the website is re-instated. However, no officer will be held responsible for their readiness status during the time the site is disabled. We will make sure that every effort is made to ensure that all officer readiness data is updated as soon as the system is operational.

 

  1. What steps are you taking to protect employees? Will you provide us access to identity protection services? Will my dependents, including my children under age 18, also be provided services?
  2. We are committed to protecting the privacy of Corps officers and their family members. Any issue of this kind is one issue too many. We took steps to immediately shut down access to this information. As we learn more from our investigation, we will be taking additional steps, which could include offering identity protection services to affected individuals.  We will continue to communicate with you as we have additional information to share.

 

  1. Will this impact my pay?
  2. This issue did not affect our ability to process the monthly payroll delivered on September 30 and we do not expect it to affect our electronic processing of payroll moving forward.

 

  1. What types of information was involved and what happened in the system?

We received several questions asking about specific types of information and any activities by potential bad actors, including, “Did unauthorized user(s) actually access the system?” and “Were bank account numbers accessed?”

  1. We are still investigating what types of Personally Identifiable Information (PII) were involved, but at this point we have evidence that unauthenticated users could access names, Social Security numbers, and dates of birth. We will continue to communicate with you as we have additional information to share.

 

  1. Is the system now secure?
    A. The site has been taken down and is inaccessible while this matter is investigated. We will not reinstate the site without assurance that the data within the site is secure.

 

  1. Is this issue different from breaches of government data sources such as OPM?
  2. Commissioned Corps Headquarters (CCHQ) has confirmed that unauthenticated users could access personally identifiable information (PII) in the Commissioned Corps Management Information System (CCMIS), which is used to manage some human resources functions and payroll for the Commissioned Corps. The issue relates to an application on the website, and the database contains information related to current, retired, and former Commissioned Corps officers and their dependents. We are currently working to assess how individuals might be affected and we will continue to communicate with you as we have additional information to share.

 

  1. Does this issue affect the Direct Access system as well?
  2. We are not aware of any evidence that the issue affecting the Commissioned Corps Management Information System (CCMIS) impacts the Direct Access system managed by the U. S. Coast Guard. The issue relates to an application on a website that exclusively serves the Commissioned Corps and their unique needs, and the database contains information related to current, retired, and former Commissioned Corps officers and their dependents.

 

  1. What was the “test” email I received on October 2, 2016?
  2. The “test” email sent on the evening of October 2, 2016 was the USPHS testing its email listserv.

 

  1. What should I do now?
  2. You may wish to review your credit reports for any information that you do not recognize or that is incorrect. You may request a free credit report from one or more of the three national credit bureaus:

 

Equifax                                                 Experian                                              TransUnion

P.O. Box 740241                                P.O. Box 4500                                    P.O. Box 105281

Atlanta, GA 30374                            Allen, TX 75013                                  Atlanta, GA 30348

Phone: 1-800-685-1111                  Phone: 1-877-284-7942                  Phone: 1-877-322-8228

 

Each consumer is entitled to one free credit report per year from each of the three national credit bureaus. You may want to stagger your requests, requesting one from a different credit bureau every 4 months to have a better chance of finding any potential problem. You may ask for credit reports at https://www.annualcreditreport.com. This is the only authorized Web site for getting your free annual credit report under Federal law.

 

  • Review your account statements.

 

Review and monitor your financial accounts, including bank accounts and credit card statements. If you see any unusual or suspicious activity, report it promptly to your financial institution.

 

  • Contact the Federal Trade Commission (FTC).

 

You may contact the FTC for more information about protecting your credit, including how to place a “fraud alert” or “security freeze” on your credit account, by calling its toll-free number at (877) 438-4338 or by visiting FTC’s Web site at www.consumer.gov/idtheft.

 

  • Contact your State’s Attorney General.

 

In addition to the FTC, you may obtain information about preventing identity theft from your state’s attorney general.

 

  • Lookout for scammers. We will not contact you to confirm any personal information. If you or a family member are contacted by anyone asking for your personal information in relation to this situation, do not provide it and please report the incident to CCinfo@hhs.gov.

 

From: CCinfo (OS/OASH)
Sent: Monday, October 03, 2016 10:35 AM
To: CCINFORMATIONUPDATE@list.nih.gov
Subject: Important Message: PLEASE READ
Importance: High

 

Dear Commissioned Corps Officers,

 

We are writing today because the Commissioned Corps Headquarters (CCHQ) has confirmed an issue regarding personally identifiable information (PII) in the Commissioned Corps Management Information System (CCMIS), which is used to manage functions such as new employee onboarding, payroll, leave, and time and attendance. The Department has learned that unauthenticated visitors to CCMIS could access PII, including names, dates of birth, and Social Security numbers. Based on our investigation, affected individuals are those served by this website-based system: current, retired, and former Commissioned Corps officers and their dependents.

 

As the investigation proceeds and we learn more, we will communicate with you regularly to share new information.

 

We took steps to immediately disable the website, and it remains inaccessible while this matter is under investigation. Teams across the Department and across government are working to learn as much as we can as quickly as we can, and to further improve our systems to prevent this type of issue in the future. When we have fuller information, we will be able to provide that information. We do want to assure you that this issue did not affect our ability to process the monthly payroll delivered on September 30.

 

We understand firsthand how concerning it can be to learn that your personal information may have been accessed by unauthenticated users, and we take this issue very seriously. While we wanted to make sure you received timely notification of this issue, there are many questions for which we do not have enough information to answer at this time. Again, as the investigation proceeds and we learn more, we will communicate with you regularly, including a thorough formal notification letter sent to your mailing address. Next steps could include offering identity protection services to affected individuals. In case you would like to take immediate steps to protect your personal information, we are attaching information about how to request a free credit report and how to report unusual activity or potential errors on your credit report.

 

Securing your personal information, providing you with timely updates on this issue, and taking steps to further improve our systems are our highest priorities. We are developing and will be regularly updating a set of frequently asked questions (FAQs) about this issue. If you have questions you would like to see answered as part of the FAQs or if you have additional feedback, we encourage you to use the dedicated email address for this issue: CCinfo@hhs.gov.

 

Thank you for your attention to this matter. We are committed to addressing this situation promptly and transparently as we move forward together.

 

Sincerely,

 

 

Karen B. DeSalvo, MD, MPH, MSc                             Vivek H. Murthy, M.D., M.B.A

Acting Assistant Secretary for Health                      Vice Admiral, USPHS

U.S. Surgeon General

 

To unsubscribe from the CCINFORMATIONUPDATE list, click the following link:
http://list.nih.gov/cgi-bin/wa.exe?SUBED1=CCINFORMATIONUPDATE&A=1

Leave a comment

Your email address will not be published. Required fields are marked *