Barrow County in Georgia issued a breach notice about a breach of its email environment that occurred between March and August of 2022.
Its notification, posted on its website, states, in part:
The type of information at issue varied for each individual, but included a variation of the following: name; date of birth, Social Security number; driver’s license or state identification number, financial account information, credit or debit card information, including the expiration and CVV code, clinical and treatment information, medical provider information, prescription information, insurance policy information, and/or patient account or medical record numbers.
They first notified people this week.
The notice does not state when they first discovered the breach, but only that “Upon learning of the incident, Barrow County promptly began an internal investigation and engaged a forensic security firm to investigate the incident and secure its computer and email systems.”
So:
1. When and how did they first discover the breach and start to investigate?
2. How many people are they notifying?
3. How far back in time did the emails that were vulnerable or accessed go?
4. Why did it take them from the time they first discovered a breach to figure out everyone who needed to be notified?
5. Was the health data in the emails from the county as a health plan or as a provider or as a business associate to Northeast Georgia Medical Center? Has HHS been notified of this breach?
DataBreaches would ask them these questions but they don’t seem to post any email contact information on their website.