ODHS and the Department of Administrative Services Enterprise Security Office noticed the breach on January 28 following reports from staff who believed their email accounts had been logged onto. All impated email accounts were rapidly discovered and remote access to the accounts was disabled the same day.
An investigation was initiated into the breach to discover what protected health information may have been viewed and who had been impacted. That process has taken some time to finish as it involved checking around 2 million emails.
The hackers accessed the impacted accounts and were able to access emails in the accounts for a period of 19 days. ODHS has revealed that no malware was installed by the hackers but they may have viewed or obtained PHI such as names, contact details, Social Security numbers, case numbers, and sensitive health data.
On March 21, when it became obvious that PHI was involved, ODHS published a substitute breach notice to its website and made a call center available for affected individuals to find out more about the breach. However, individual breach notifications were not shared until June 21.
ODHS oversees programs were linked to child welfare, individuals with disabilities, and seniors and deals with some of the most susceptible individuals in the U.S. To safeguard those individuals from harm, ODHS has covered the cost of a $1 million identity theft reimbursement insurance policy and is providing all affected individuals one year of complimentary credit monitoring and identity theft recovery services.
ODHS representative Robert Oakes said this is an “extremely sophisticated email attack.” ODHS has since shared access to the email web application that was impacted and will go on completing internal security audits to vulnerabilities and will subject those vulnerabilities to a HIPAA-compliant risk management review. Training is already given to staff on security awareness and efforts will go on educating the workforce about the dangers from phishing.