News

Carruth data security incident

Story by PCC Staff.

About the incident

Carruth Compliance Consulting is the third-party administrator that handles 403(b) and 457(b) retirement savings plans for many Oregon school districts, including PCC. Carruth discovered suspicious activity on their computer systems. An investigation revealed that unauthorized access to Carruth’s network occurred in late December 2024, resulting in the compromise of sensitive employee data for Carruth’s clients, including PCC.

This incident impacts all employees who have been employed by PCC, regardless of whether or not Carruth was actively managing your 403(b) or 457(b) retirement saving plans.

See the official statement here: Carruth notice of data security event.

For support or questions, please contact carruth-incident@pcc.edu [opens in new window].

Frequently asked questions

Q: Was my information compromised?

This data incident impacts all employees who have been employed by PCC, regardless of whether or not Carruth was actively managing your 403(b) or 457(b) retirement saving plans.

According to Carruth, the company will not be notifying employees who have been impacted nor will it provide a list of affected employees to PCC. Please review next steps and how to access credit monitoring support below.

Q: What information was compromised?

Information that was potentially shared includes employee names, social security numbers, dates of birth, pay information, and contribution amounts to 403(b) and 457(b) retirement savings accounts (not PERS).

Additionally, if you shared any information directly with Carruth in the management of your 403(b) or 457(b) retirement savings plans, that information, too, may have been compromised — information like beneficiaries, power of attorney, financial account information, driver’s license numbers, W-2 information, medical billing information and tax filings.

Q: What is PCC doing?

We are working with Carruth to understand the full scope of the incident and to ensure the company is taking appropriate steps to mitigate the impact to our current and former employees.

Q: Why did Carruth have my employee information if I do not have a retirement savings plan?

Carruth requires all participating employers to share information from all employees for its internal and external compliance measures. For example, the company uses that information to reconcile people as their employment may move between other educational institutions.

Q: What should I do?

You will not receive any notification from Carruth verifying that your information was compromised. Instead, you should proactively take action:

  • Enroll in credit monitoring and identity restoration services: Carruth is offering free credit monitoring and identity restoration services through IDX. To enroll, call IDX at 877-720-7895. After you make this call, IDX will send you an email with further instructions about actions to take on their website. Know that during this online process, you’ll need to enter your social security number and other personal information. You will not be asked to give this information over the phone.
  • Monitor your accounts: Regularly review your retirement savings plans, bank accounts, credit card statements and other financial accounts for any suspicious activity. If you see anything unusual, report it to your financial institution immediately.
  • Check your credit reports: You’re entitled to one free credit report annually from each of the three major credit reporting bureaus (Equifax, Experian and TransUnion). Visit www.annualcreditreport.com or call 1-877-322-8228 to order your free reports.
  • Be on the alert for scams: you should be on alert. Scammers may try to target you through social media posts, social media ads, emails and the like. Be cautious about clicking on unknown links. Always visit legitimate websites directly.
  • Consider placing a fraud alert or credit freeze on your credit report: You can place a fraud alert or credit freeze on your credit report to help protect yourself from identity theft. See details below.
Q: How can I set up fraud alerts or a credit freeze?

Fraud Alert: A fraud alert notifies creditors to verify your identity before issuing new credit. You can place an initial fraud alert (lasting one year) or an extended fraud alert (lasting seven years), if you’re already a victim of identity theft.

Credit Freeze: A credit freeze prevents credit bureaus from releasing your credit report without your explicit consent. A credit freeze is designed to prevent credit, loans and services from being approved in a consumer’s name without consent. However, consumers should be aware that using a credit freeze may delay, interfere with or prohibit the timely approval of any subsequent requests or applications they make regarding new loans, credit, mortgages or any other accounts involving the extension of credit.

To place a fraud alert or credit freeze, contact each of the three major credit reporting bureaus:

Q: Are there any other additional resources?

Advice for those impacted by identity theft: