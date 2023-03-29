Adams County Children and Youth Services (“ACCYS”) has begun notifying individuals who have received ACCYS services that their protected health and/or personally identifiable information may have been accessed without authorization when a single employee email account was compromised, according to a release issued by Lisa Moreno-Woodward, deputy chief clerk, Adams County Commissioners office.
On Aug. 15, 2022, an ACCYS employee responded to a phishing email. Adams County (the County) immediately changed that employee’s password. Recently, as part of the County’s ongoing evaluation of email security and with the assistance of a nationally recognized digital forensics team, the county discovered that there had been suspicious activity on the same employee’s email box that the county was not aware of at the time of the password change. The county worked with the investigators to further understand what happened. Through the investigation the county learned that an unauthorized individual accessed the email account for approximately 30 minutes. ACCYS could not determine which specific emails were accessed. In an abundance of caution, ACCYS decided to review the entire contents of the email box to establish what information may have been involved, who may have been affected, and where those people reside so that it could provide notice.
The affected data varied, but may have included an individual’s name, or initials, and some or all of the following kinds of data: address, date of birth, health information, information about services and programming provided by ACCYS, medical diagnoses and/or treatment information. For a small number of individuals, the information may have included mental health diagnoses and/or treatment information, medications, injuries, health insurance information and information related to substance use. The county’s investigators also searched Dark Web sources and found no indication that any of its data had been released or offered for sale as a result of this incident, and at this time, the county has no indication that any of the information has been inappropriately used by anyone.
As a precautionary measure, the county urged potentially impacted individuals to take appropriate steps to protect their personal information by remaining vigilant to the possibility of fraud and identity theft by reviewing and monitoring their Explanation of Benefits forms for any unauthorized activity. For certain potentially impacted individuals, the county also recommends reviewing free credit reports and/or account statements. The county indicated that any unauthorized or suspicious activity should be reported immediately to the appropriate authorities, including local law enforcement. In addition, consistent with its compliance obligations and responsibilities, the county is providing notice of this incident to the U.S. Department of Health and Human Services and all appropriate state regulators.
“The privacy and security of the information we maintain is very important to the county, and we remain committed to doing everything we can to maintain the confidentiality of such information,” said the county administrator, Steve Nevada. “The county wants to make sure an incident like this does not happen again, so it has taken a number of steps to change the way it protects information and has enhanced its security procedures.”
A letter issued to those who may be impacted:
“Recently, Adams County Children and Youth Services (ACCYS) learned that there was unauthorized access to an ACCYS employee email account. On March 24, 2023, we mailed notifications to individuals whose protected health information and/or personal information may have been subject to unauthorized access or acquisition. Unfortunately, we did not have sufficient contact information to provide written notice to some individuals. To notify those individuals for whom we do not have sufficient contact information, we are providing our toll-free telephone number below. This number can be called to determine whether an individual’s information was included in the data potentially impacted by this incident.
“At this time, we have no indication that any of this data has been inappropriately used by anyone.
“However, we are providing this notice as a precautionary measure, to inform potentially impacted individuals, and suggest ways that individuals can protect their information. We recommend that you closely review the information provided below for some steps that you may take to protect yourself against potential misuse of your information.”
On August 15, 2022, one of our employees responded to a phishing email. We immediately changed the employee’s password. Recently, as part of our ongoing evaluation of email security and with the assistance of a nationally recognized digital forensics team, we discovered that there had been suspicious activity on the same employee’s email box that we were not aware of at the time of the password change. We worked with the investigators to further understand what happened and to determine the scope of any potential unauthorized access to the email box. We determined through the investigation that we would be unable to identify which specific emails may have been viewed or acquired by the unauthorized actor during the approximately 30-minute period of access. Therefore, in an abundance of caution, we undertook a comprehensive review of the entire contents of the email box to establish what information may have been involved, who may have been affected, and where those people reside so that we could provide notice.
What Information Was Involved
The impacted email account may have contained an individual’s name, or initials, as well as some or all of the following kinds of data: address, date of birth, names of family and/or household members, ACCYS case number(s) and/or referral number(s), information about residency and/or placements, personal family referral information and/or ACCYS investigative materials, information regarding services and programming provided by ACCYS, health information, medical diagnoses and/or treatment information. For a small number of individuals, the information may have included their Social Security number or the last four digits, driver’s license number, mental health diagnoses and/or treatment information, medications, injuries, amounts paid for medical treatment, patient identification number(s), medical record number(s), health insurance information, or information related to substance use.
What We Are Doing About It
Because of this incident we have taken steps to ensure the security of all email accounts and worked to review the contents of the impacted email account. To further strengthen the security of the information we maintain, and to help prevent similar incidents in the future, we have taken or will be taking the following steps:
1. Completed implementation of multi-factor authentication on ACCYS employee email accounts
2. Enhancing our retention policy for electronic data
3. Retraining ACCYS employees regarding protection of private information in email communications
4. Supplementing our training for employees regarding cybersecurity awareness
5. Implementing automatic password reset procedures for cybersecurity incidents
Additionally, we will provide notice of this incident to the United States Department of Health and Human Services and appropriate state regulators.
We recommend that you take the following preventative measures to help protect your information:
1. Remain alert for incidents of fraud and identity theft by regularly reviewing any account statements, free credit reports and health insurance Explanation of Benefits (EOB) forms for unauthorized or suspicious activity. Information on additional ways to protect your information, including how to obtain a free credit report and free security freeze, can be found at the end of this letter.
2. For those whose Social Security number or driver’s license number was involved, enroll in the complimentary credit monitoring offered by the County. Instructions on how activate the credit monitoring membership are included in the letters mailed to those individuals.
3. Report any incidents of suspected identity theft to your local law enforcement, state Attorney General and the major credit bureaus.
Please accept our apologies that this incident occurred. We remain fully committed to maintaining the privacy of personal information in our possession and will continue to take many precautions to safeguard it. If you have any questions or concerns about this incident, you may contact us toll-free at 833-475-1813, Monday through Friday 9 a.m.–11 p.m., Saturday and Sunday 11 a.m.–8 p.m. (excluding major U.S. holidays). Be prepared to provide the following engagement number: B088251. You may also contact the Adams County privacy officer, Lindsey Ringquist, at 717-337-9820.
