The Kentucky-based Cabinet for Health and Family Services notified approximately 2,500 clients Tuesday that a possible employee e-mail account breach may have resulted in the unintentional release of personally identifiable information.
In July, a Cabinet’s Department for Community Based Services (DCBS) employee responded to a phishing e-mail sent by a hacker. Unauthorized activity on the account was identified within a half hour, and officials say the account was then disabled.
“We really are pretty confident that none of this data has been accessed,” said Gwenda Bond, assistant communications director for the Cabinet for Health and Family Services.
Although officials are not certain the confidential contents of the e-mail account were accessed or viewed, the hacker did have access to the e-mail account for a brief period. Data about the individuals being notified was included in the National Youth Transition Database monitoring those in the process of or who have recently aged out of the foster care system. Officials say health information on diagnoses or Social Security numbers were not on the database and therefore could not have been accessed. Names, addresses and other ID codes, were, however.
[See also: Top 5: Data breach winners and losers by state.]
“In all likelihood, the hacker intended to access the state government e-mail server to send spam e-mails and did not access or view client information,” said Rodney Murphy, executive director of the Office of Administrative and Technology Services. “However, out of an abundance of caution, we are notifying clients who might have been affected by this incident. The Cabinet and DCBS take our role of safeguarding the personal information of those we serve very seriously and have increased awareness activities for staff to help protect against future issues of this kind.”
The Cabinet is required to notify clients individually of any potential breach involving more than 500 individuals by the federal Health Insurance Portability and Accountability Act, more commonly known as HIPAA.
Since the Aug. 2009 Breach Notification rule requiring that HIPAA-covered entities provide notification following a data breach involving 500 individuals or more, the state of Kentucky has seen some 14 data breaches involving the personal health information of 76,202 patient records.