Idaho Health and Welfare Dept. reports client data breach

BOISE — Idaho Department of Health and Welfare officials say clients’ personal information contained in a contractor’s employee’s e-mail account may have been accessed without authorization.

A company known as OS Inc. provides claims management services to the Department of Health and Welfare. The access was obtained through an e-mail phishing campaign, officials said.

“At this time, there is no evidence that personal information or financial account information was accessed. The 2,060 individuals potentially affected by this have been notified by OS with a notice sent by U.S. Postal Service,” said Department of Health and Welfare spokesperson Niki Forbing-Orr.

“Protecting the personal health and financial information for the people we serve is critical for the Department of Health and Welfare,” stated DHW Director Dave Jeppesen. “We are working closely with OS to make sure proper notifications have been sent — and that those affected have access to monitoring and assistance to make sure their information is safe. We are also working with OS to make sure this doesn’t happen again. In addition, I’ve asked my staff to evaluate the lessons learned from this incident, so we can apply those to our overall cybersecurity efforts.”

OS Inc. informed Health and Welfare that it immediately launched an investigation after discovering suspicious activity in an employee’s e-mail account and began working with forensic experts to determine the nature and scope of the activity.

“On Feb. 20 (of this year), the investigation confirmed an unauthorized actor gained access to the employee’s e-mail account from Oct. 15, 2018, through Dec. 21, 2018, using account credentials harvested through a phishing email campaign,” Forbing-Orr explained.

OS Inc. secured the contents of the impacted account and ensured that the unauthorized actor no longer had access. Department officials were notified in mid-March by OS Inc. “of a recent data security incident that affected our (OS’s) system and may have included your organization’s (DHW) protected health information,” Forbing-Orr added.

About April 1st of this year, OS Inc. confirmed the identities of those people whose information may have been accessible in the e-mail account and began working with affected healthcare providers — including the Department of Health and Welfare — to confirm their contact information. Those impacted will receive notification in the mail sometime this week with details about the type of information that may have been accessed.

The types of information contained in the employee’s e-mail account included billing information for the Infant Toddler Program and Mental Health Services such as full name, Social Security number, date of birth, address, and other demographic and clinical information (i.e., diagnosis codes and nature of services provided). Clinical information included service dates ranging from Oct. 7, 2016, to Sept. 28, 2017.

Officials say OS Inc. has assured Health and Welfare that it has reviewed existing policies and procedures, implemented additional safeguards, and secured the impacted e-mail account. OS Inc. will continue to further secure the information in its systems, going forward.

If you would like additional information regarding this incident, you can call the toll-free dedicated assistance line at (866) 775-4209 Monday through Friday (excluding U.S. holidays), 8 a.m. to 5:30 p.m. Central Daylight Time, or 9 a.m. to 6:30 p.m. Mountain Daylight Time. Individuals may also write to OS Inc. at: W237 N2920 Woodgate Road, Suite 100, Pewaukee, Wisconsin 53072.