Kentucky’s Cabinet for Health and Family Services (CHFS) has issued a statement disclosing a recent breach:
The Cabinet for Health and Family Services (CHFS) is informing 1,090 Medicaid clients by letter of a computer security breach that may have resulted in the unintentional release of information held by Hewlett-Packard Enterprise Services (HP ES), the vendor that manages Medicaid’s information management system.
In mid-November, an employee of Carewise Health, a subcontractor of HP ES, responded to a telephone computer scam, resulting in unauthorized remote access to a computer that contained a database with information on the Medicaid clients. HP ES and Carewise Health disabled the laptop as soon as the breach was reported, and notified CHFS. Typically such scams are targeted at charging people for unnecessary computer services. While there is no evidence that the confidential contents of the database were accessed, the hacker did have access to the employee’s laptop for a brief period. The database included health and other information about the individuals being notified, including social security numbers for less than half the individuals. HP ES is arranging for those affected to receive free credit monitoring to detect identity theft for one year.
“In all likelihood, this scam was designed to receive payment from the employee in question and was never intended to be used to access or view client information,” said Rodney Murphy, executive director of the CHFS Office of Administrative and Technology Services. “However, because we cannot rule the possibility out, we are notifying clients who might have been affected by this incident. We take our role of safeguarding the personal information of those we serve very seriously and expect our vendors to uphold that commitment as well. We are working with the vendor to ensure the appropriate steps are being taken to protect against future issues of this kind.”
The Cabinet is required to notify clients individually of any potential breach involving more than 500 individuals by the federal Health Insurance Portability and Accountability Act, more commonly known as HIPAA. Individuals who believe their information may have been involved or who need additional information should contact HP ES toll-free at 1 (877) 298-6108, option 1. The number will be active for 90 days.
This is the second time in the past few months that the Cabinet has reported a breach due to employees falling for a scam. In the previous case, an employee in the Department for Community Based Services fell for a phishing attempt that gave the attacker access to information on 2,500 clients. In this case, it was not one of the state’s own employees, but a subcontractor’s employee.