Carruth data security incident

The week of Jan. 13, 2025, we learned that Carruth Compliance Consulting, the third-party administrator of Clackamas ESD’s 403(b) and 457(b) retirement savings plans, discovered suspicious activity on its computer systems in late 2024. An investigation revealed that sensitive employee data for Carruth’s clients, including Clackamas ESD, was affected. Carruth’s customers include many of the school districts, ESDs and other organizations throughout Oregon and beyond. More information about this incident is available on Carruth’s website.

Carruth immediately began working with third-party specialists to investigate the activity, and then notified the Federal Bureau of Investigation. The company also immediately engaged a sub-contractor to handle processing of information coming in from its clients. For the foreseeable future, no further retirement account transactions from Clackamas ESD employees will be processed by Carruth.

Frequently asked questions

It appears the Carruth incident potentially affects all individuals who have been employed at Clackamas ESD between 2011 and January 2025, regardless of whether or not Carruth was actively managing their 403(b) or 457(b) retirement saving plans.  We need to assume that all of those individuals have been affected, and we encourage those current and former employees to take steps outlined below to monitor and protect personal information.

Carruth reported that the affected information may include employee and beneficiary Form W-2 Wage and Tax Statement information (names, Social Security numbers, mailing addresses and compensation information), dates of birth, financial account information, email addresses, driver’s license numbers and medical billing information (but not medical records).

No. The Carruth data incident is a third-party incident involving Carruth systems. It has nothing to do with Clackamas ESD’s systems. Clackamas ESD systems were not involved in the Carruth incident and they remain secure.

There is no evidence that retirement accounts were affected, and we are in communication with the custodians of those accounts to ensure they remain secure.

While Carruth provided third-party administrative services for Clackamas ESD’s 403(b) and 457(b) retirement savings plans, Carruth also monitored our contributions compliance. This required us to provide data for all employees to ensure our practices were in compliance with IRS limits.

We are working with Carruth and multiple other parties to understand the full scope of the data incident, to ensure all affected employees will be directly notified and provided appropriate remediation services, and to ensure the company is taking appropriate steps to mitigate the impact on our employees. We will update information about the incident as it becomes available.

  • Enroll in credit monitoring and identity restoration services. Carruth is offering free credit monitoring and identity restoration services through IDX, a firm that provides identity protection services to consumers affected by data security incidents. To enroll, please call IDX at 877-720-7895.
  • Monitor your accounts. Regularly review your bank accounts, credit card statements, retirement accounts and other financial accounts for any suspicious activity. If you see anything unusual, report it to your financial services provider immediately.
  • Check your credit reports. You are entitled to one free credit report annually from each of the three major credit reporting bureaus (Equifax, Experian and TransUnion). Visit www.annualcreditreport.com or call 877-322-8228 to order your free reports.  
  • Consider placing a credit freeze and/or fraud alert on your credit report. You can place a fraud alert or credit freeze on your credit report to help protect yourself from identity theft. See details below. Both of these actions require more substantial proof of your identity before new credit can be opened in your name.
  • Report any suspicious activity. If you suspect you are a victim of identity theft, report it to the Federal Trade Commission at www.identitytheft.gov or 877-ID-THEFT (877-438-4338). You also should file a police report.

IDX is a leading data incident response services provider that helps protect people who may be affected by data security incidents. Carruth retained IDX to provide free credit monitoring and identity protection services to our employees and answer questions you may have about the incident.

Unfortunately, each impacted individual must enroll separately in the services provided by IDX. In order to enroll in those services, you must contact IDX at 877-390-8299 and provide them with information they request.

  • Credit freezes prevent credit bureaus from releasing your credit report without your explicit consent. This makes it harder for identity thieves to open accounts in your name. You can place a credit freeze on your credit file at no cost.
  • Fraud alerts notify creditors to verify your identity before issuing new credit. You can place an initial fraud alert (lasting one year), or an extended fraud alert (lasting seven years) if you believe you are a victim of identity theft.
  • Place a credit freeze and/or fraud alert by contacting the three major credit reporting bureaus:

Additional resources