Notice of Privacy Practices

Effective Date: January 1, 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

1. Our Commitment to Your Privacy
We are required by federal and Massachusetts law to maintain the privacy and security of your protected health information (PHI), to provide you with this Notice of Privacy Practices, and to comply with the terms of this Notice.

2.Uses and Disclosures of PHI
We may use and disclose your PHI for home care services, bill and obtain payment for services, health care operations, and as otherwise permitted or required by law.

We may also share with other providers involved with your care, communicate with family and friends assisting in your care, contact you about health services or agency fundraising (you may opt out), and work with business associates who follow our privacy rules.

3. Your Rights Under HIPAA
You have the right to access and obtain a copy of your PHI, request amendments, request restrictions on use/disclosure, request confidential communication methods, receive an accounting of certain disclosures, and obtain a paper copy of this Notice.

4. Massachusetts-Specific Privacy Protections
Massachusetts law provides additional protections for certain types of health information. In some cases, we may be required to obtain your written consent before using or disclosing this information, even for treatment, payment, or health care operations.

HIV/AIDS Information:  Information related to HIV testing, diagnosis, or treatment is protected under Massachusetts law (M.G.L. c. 111, §70F).

Mental Health Information:  Certain mental health records and psychotherapy notes receive special protection under federal and Massachusetts law.

Substance Use Disorder Records:  Records related to substance use disorder treatment that are subject to 42 C.F.R. Part 2 receive heightened federal protection.

5. Cybersecurity and Electronic Communications
We maintain administrative, physical, and technical safeguards designed to protect your PHI, including electronic PHI, in accordance with HIPAA, the HIPAA Security Rule, and Massachusetts data security laws (including 201 CMR 17.00).

Electronic Communications:
We may communicate with you electronically (such as by telephone, voicemail, text message, patient portal, or email) regarding your care, appointments, or billing unless you request otherwise. While we take reasonable steps to secure electronic communications, there is some risk that information may be intercepted.

Use of Mobile Devices and Remote Access:
Our workforce may access your PHI using secure, agency-approved devices and systems. Access is role-based and monitored in accordance with our IT/IS security policies.

Breach Notification:
We are required to notify you following a breach of unsecured PHI involving your information, in accordance with federal and Massachusetts law.

6. Our Responsibilities
We are required by law to maintain the privacy and security of your PHI and to abide by the terms of this Notice.

7. Changes to This Notice
We reserve the right to change this Notice. Any changes will apply to all PHI we maintain. Updated notices will be available upon request and on our website.

8. Complaints
If you believe your privacy rights have been violated, you may file a complaint with our Privacy Officer or with the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you for filing a complaint.

Privacy Officer Contact Information:
Care Central VNA and Hospice, Inc.
34 Pearly Lane, Gardner, MA 01440
978-632-1230

Patient SMS Privacy Notice

At Care Central VNA & Hospice Inc. (CCVNA), we are committed to maintaining the privacy and security of our patients’ personal information. This Privacy Notice outlines our practices and your choices regarding the use of your information for SMS (Short Message Service) communications.

Opt-In: By providing your mobile number, you are opting in to receive SMS communications from CCVNA. These messages may include appointment reminders, estimated clinician arrival times, and other relevant updates. Your mobile number will only be used for healthcare-related communications and will not be shared with third parties for their marketing purposes.

Opt-Out: You may opt-out of receiving SMS communications at any time. To opt-out, reply ‘STOP’ to any message you receive from us or contact our office directly. Once you opt-out, you will no longer receive SMS communications from us. Please note that opting out will not affect other forms of communication such as emails or phone calls.

Fees: While CCVNA does not charge for SMS communications, standard message and data rates may apply depending on your wireless carrier and plan.

Privacy: We respect your privacy and are committed to protecting your information. All SMS communications are compliant with the Health Insurance Portability and Accountability Act (HIPAA), which protects your health information from unauthorized use or disclosure.

Updates: We may change this Privacy Notice from time to time. Any changes will be effective immediately upon posting of the revised notice on our website.

By opting in to our SMS communications, you acknowledge and agree to the practices outlined in this Privacy Notice. If you have any questions, please contact our office at 978-632-1230.

Your privacy is important to us, and we are committed to providing you with the highest level of service while respecting and protecting your personal information.

Doctor Alliance Data Breach Incident Affecting Some Care Central VNA & Hospice, Inc. Home Health Patients

Purpose of this Notification.

This is to notify clients and customers of Care Central VNA & Hospice, Inc. (CCVNA) of a recent data security incident involving Doctor Alliance, a third-party software platform used by your physician/provider to manage and sign clinical documentation related to home health services you are currently receiving or may have received in the past. Doctor Alliance is a Texas-based healthcare technology firm that provides billing services and is a web portal that we use with some physicians for communication and physician signatures.  As detailed below, the incident was the result of an unauthorized party gaining access to limited patient data through the misuse of the Doctor Alliance web portal.

Patients affected will receive a letter from CCVNA.

What happened?

Doctor Alliance learned on November 13, 2025, of a potential incident that involved some of the documents available through the Doctor Alliance portal. Doctor Alliance immediately took steps to secure its systems, launched an investigation with the assistance of third-party forensic experts, and notified law enforcement. Doctor Alliance’s investigation determined that an unauthorized party accessed some of the files using the Doctor Alliance web portal intermittently between October 31, 2025 and November 17, 2025.

The third-party investigation determined that the unauthorized party was able to obtain credentials and then use a script to send multiple requests to the Doctor Alliance web portal using varying combinations of patient IDs and document numbers in order to pull certain documents. The investigation did not determine how the unauthorized party initially obtained the credentials used to log into the Doctor Alliance web portal.

This incident did not originate within CCVNA’s systems and was related solely to Doctor Alliance’s platform. However, we take the privacy and security of your information very seriously. We are working closely with Doctor Alliance to review their safeguards and have also taken additional steps within our own systems to further protect your information.

What information was involved?

The investigation determined that the unauthorized party was able to successfully pull twelve different types of documents. These documents contained patient names and information related to patient care. For a detailed list of the types of information located in each document type, see Information about Document Types potentially included in the accessed dataset.

What are we doing?

Doctors Alliance has taken the following steps to strengthen its security following the incident, including, but not limited to:

Adding additional authorization checks for document requests

Hardening the permission enforcement logic

Conducting a code review to check for additional areas of improvement

Adding additional authentication requirements and monitoring to prevent and detect any anomalous activity

Strengthening the firewall controls, request inspection implementation, and application-level logging

In addition, CCVNA is sending letter notifications and posting this to notify all affected patients of CCVNA of this incident and provide you with information that may be helpful for you to determine how you would like to proceed from here.

What Can Individuals Do?

Although CCVNA is not aware of any claims that individuals have been victims of fraud as a result of this incident, we are encouraging individuals to take steps to protect their personal information.  Additional information pertaining to resources are provided below.

Review Your Accounts for Suspicious Activity. We encourage you to remain vigilant by regularly reviewing your accounts and monitoring credit reports for suspicious activity.

Order a Credit Report. If you are a U.S. resident, you are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies. To order your free credit report, visit www.annualcreditreport.com or call toll-free at 1-877-322-8228. If you discover information on your credit report arising from a fraudulent transaction, you should request that the credit reporting agency delete that information from your credit report file. Contact information for the nationwide credit reporting agencies is provided in the next section.

Contact the Federal Trade Commission, Law Enforcement and Credit Bureaus. You may contact the Federal Trade Commission (“FTC”), your state’s Attorney General’s office, or law enforcement, to report incidents of identity theft or to learn about steps you can take to protect yourself from identity theft. To learn more, you can go to the FTC’s websites at www.identitytheft.gov; call the FTC at (877) IDTHEFT (438-4338); or write to: FTC Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580.

You may contact the nationwide credit reporting agencies at:

Equifax: (800) 525-6285; P.O. Box 740241, Atlanta, Georgia, 30374; or www.equifax.com.

Experian: (888) 397-3742; P.O. Box 9701, Allen, TX 75013; or www.experian.com.

TransUnion: (800) 916-8800; Fraud Victim Assistance Division, P.O. Box 2000, Chester, PA 19022; or www.transunion.com.

Additional Rights Under the FCRA. You have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to be provided to employers; you may limit “prescreened” offers of credit and insurance you get based on information in your credit report; and you may seek damages from violators. You may have additional rights under the Fair Credit Reporting Act not summarized here.

Identity theft victims and active-duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage you to review your rights pursuant to the Fair Credit Reporting Act by:

(i) visiting https://files.consumerfinance.gov/f/documents/bcfp_consumer-rights-summary_2018-09.pdf ; or

(ii) by writing to Consumer Financial Protection Bureau, 1700 G Street, N.W., Washington, DC 20552.

Request Fraud Alerts and Security Freezes. You may obtain additional information from the FTC and the credit reporting agencies about fraud alerts and security freezes. You can add a fraud alert to your credit report file to help protect your credit information. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you, but it also may delay your ability to obtain credit. You may place a fraud alert in your file by calling just one of the three nationwide credit reporting agencies listed above. As soon as that agency processes your fraud alert, it will notify the other two agencies, which then must also place fraud alerts in your file.

In addition, you can contact the nationwide credit reporting agencies at the following numbers to place a security freeze at no cost to you:

• Equifax: (800) 349-9960
• Experian: (888) 397-3742
• TransUnion: (888) 909-8872

Placing a security freeze prohibits the agency from releasing any information about your credit report without your written authorization. Security freezes must be placed separately at each of the three nationwide credit reporting agencies. When requesting a security freeze, you may need to provide the following information:

Your full name, with middle initial as well as Jr., Sr., II, etc.

Social Security number

Date of birth

Current address and all addresses for the past two years

Proof of current address, such as a current utility bill or telephone bill

Legible copy of a government-issued identification card, such as a state driver’s license, state identification card, or military identification.

After receiving your request, each agency will send you a confirmation letter containing a unique PIN or password that you will need to lift or remove the freeze. You should keep the PIN or password in a safe place.

Doctor Alliance has indicated that it is available to answer any questions you may have regarding the incident and the investigation to date and assist with any additional information you may need to analyze the incident and determine your next steps in light of any applicable laws or regulations. Attached is the link to Doctors Alliance with more information: https://live.doctoralliance.com/Home/DataIncident

We regret that this incident occurred and apologize for any inconvenience. We take safeguarding the information we receive very seriously.