Dept. of Health and Welfare: Client data may have been accessed without authorization

The following is a news release from the Department of Health and Welfare.

The Department of Health and Welfare (DHW) has recently been informed that clients’ personal information contained in a contractor’s employee’s email account may have been accessed without authorization.

OS Inc. provides claims management services to the Department of Health and Welfare. The access was obtained through an email phishing campaign. At this time, there is no evidence that personal information or financial account information was accessed because of this event. The 2,060 individuals potentially affected by this have been notified by OS with a notice sent by U.S. Postal Service.

“Protecting the personal health and financial information for the people we serve is critical for the Department of Health and Welfare,” said DHW Director Dave Jeppesen. “We are working closely with OS to make sure proper notifications have been sent and that those affected have access to monitoring and assistance to make sure their information is safe. We are also working with OS to make sure this doesn’t happen again. In addition, I’ve asked my staff to evaluate the lessons learned from this incident, so we can apply those to our overall cybersecurity efforts.”

OS Inc. informed DHW that it immediately launched an investigation after discovering suspicious activity in an employee’s email account and began working with forensic experts to determine the nature and scope of the activity. On Feb. 20, 2019, the investigation confirmed an unauthorized actor gained access to the employee’s email account from Oct. 15, 2018, through Dec. 21, 2018, using account credentials harvested through a phishing email campaign. OS Inc. immediately secured the contents of the impacted account and ensured that the unauthorized actor no longer had access. DHW was notified in mid-March by OS Inc. “of a recent data security incident that affected our (OS’s) system and may have included your organization’s (DHW) protected health information.”

On or about April 1, 2019, OS Inc. confirmed the identities of those individuals whose information may have been accessible in the email account and began working with affected healthcare providers, including DHW, to confirm the contact information for these individuals. The impacted individuals will receive notification in the mail sometime during the week of May 6 with details about the type of information that may have been accessed.

The types of information contained in the employee’s email account included billing information for the Infant Toddler Program and Mental Health Services such as full name, Social Security number, date of birth, address, and other demographic and clinical information (i.e., diagnosis codes and nature of services provided). Clinical information included service dates ranging from Oct. 7, 2016, to Sept. 28, 2017.

The Department of Health and Welfare and OS Inc. take this incident and the security of personal information very seriously. OS Inc. assures DHW it has reviewed existing policies and procedures, implemented additional safeguards, and secured the impacted email account. OS Inc. will continue to further secure the information in its systems going forward.

Individuals seeking additional information about this incident can call the toll-free dedicated assistance line at 1-866-775-4209 Monday through Friday (excluding U.S. holidays), 8 a.m. to 5:30 p.m. Central Daylight Time, or 7 a.m. to 4:30 p.m. Mountain Daylight Time.