DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Cabinet for Health and Family Services notifies 1,090 Medicaid patients after subcontractor's employee fell for a scam

Posted on December 28, 2012 by Dissent

Kentucky’s Cabinet for Health and Family Services (CHFS) has issued a statement disclosing a recent breach:

The Cabinet for Health and Family Services (CHFS) is informing 1,090 Medicaid clients by letter of a computer security breach that may have resulted in the unintentional release of information held by Hewlett-Packard Enterprise Services (HP ES), the vendor that manages Medicaid’s information management system.

In mid-November, an employee of Carewise Health, a subcontractor of HP ES, responded to a telephone computer scam, resulting in unauthorized remote access to a computer that contained a database with information on the Medicaid clients. HP ES and Carewise Health disabled the laptop as soon as the breach was reported, and notified CHFS. Typically such scams are targeted at charging people for unnecessary computer services. While there is no evidence that the confidential contents of the database were accessed, the hacker did have access to the employee’s laptop for a brief period. The database included health and other information about the individuals being notified, including social security numbers for less than half the individuals. HP ES is arranging for those affected to receive free credit monitoring to detect identity theft for one year.

“In all likelihood, this scam was designed to receive payment from the employee in question and was never intended to be used to access or view client information,” said Rodney Murphy, executive director of the CHFS Office of Administrative and Technology Services. “However, because we cannot rule the possibility out, we are notifying clients who might have been affected by this incident. We take our role of safeguarding the personal information of those we serve very seriously and expect our vendors to uphold that commitment as well. We are working with the vendor to ensure the appropriate steps are being taken to protect against future issues of this kind.”
The Cabinet is required to notify clients individually of any potential breach involving more than 500 individuals by the federal Health Insurance Portability and Accountability Act, more commonly known as HIPAA. Individuals who believe their information may have been involved or who need additional information should contact HP ES toll-free at 1 (877) 298-6108, option 1. The number will be active for 90 days.

This is the second time in the past few months that the Cabinet has reported a breach due to employees falling for a scam. In the previous case, an employee in the Department for Community Based Services fell for a phishing attempt that gave the attacker access to information on 2,500 clients. In this case, it was not one of the state’s own employees, but a subcontractor’s employee.

Category: Health Data

Post navigation

← Out with the old, in with the new
Brigham and Women’s Hospital statement regarding the theft of a computer →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.