BOISE — The Department of Health and Welfare has recently been informed that clients’ personal information contained in a contractor employee’s email account may have been accessed without authorization.
Idaho individuals seeking information regarding this incident can call the toll-free dedicated assistance line at 1-866-775-4209 from from 7 a.m. to 4:30 p.m. Monday through Friday, excluding U.S. holidays. Individuals may also write to OS Inc. at: W237 N2920 Woodgate Road, Suite 100, Pewaukee, Wis. 53072.
OS Inc. provides claims management services to the Department of Health and Welfare. The access was obtained through an email phishing campaign. At this time, there is no evidence that personal information or financial account information was accessed because of this event. The 2,060 individuals potentially affected by this have been notified by OS with a notice sent by U.S. Postal Service.
OS Inc. informed DHW that it immediately launched an investigation after discovering suspicious activity in an employee’s email account and began working with forensic experts to determine the nature and scope of the activity. On Feb. 20, the investigation confirmed an unauthorized actor gained access to the employee’s email account from Oct. 15 through Dec. 21 using account credentials harvested through phishing. OS Inc. immediately secured the contents of the impacted account and ensured that the unauthorized actor no longer had access. DHW was notified in mid-March by OS Inc. “of a recent data security incident that affected our system and may have included your organization’s protected health information.”
Around April 1, OS Inc. confirmed the identities of those individuals whose information may have been accessible in the email account and began working with affected healthcare providers, including DHW, to confirm the contact information for these individuals. The impacted individuals received notification in the mail with details about the type of information that may have been accessed.
The types of information contained in the employee’s email account included billing information for the Infant Toddler Program and Mental Health Services such as full name, Social Security number, date of birth, address and other demographic and clinical information like diagnosis codes and nature of services provided. Clinical information included service dates ranging from Oct. 7, 2016, to Sept. 28, 2017.
The Department of Health and Welfare and OS Inc. take this incident and the security of personal information very seriously. OS Inc. assures DHW it has reviewed existing policies and procedures, implemented additional safeguards and secured the impacted email account. OS Inc. will continue to further secure the information in its systems going forward.