- An unauthorized email from a Kansas Department for Aging and Disability Services (KDADS) employee was sent to a group of business associates, which created a possible PHI data breach, according to a KDADS online statement.
KDADS became aware of the incident on February 23, 2018, and said it immediately reached out to the business associates and individuals who were possibly affected. KCUR reported that 11,000 individuals may have been impacted.
PHI was only disclosed to the business associates and there is no indication that the information has been misused or disclosed publicly, KDAS explained.
The email may have contained consumer names, addresses, dates of birth, Social Security numbers, gender, in-home services program participation information, and Medicaid identification numbers. Banking, credit card information, and driver’s license information were not included.
“Contracts/business associate agreements protect this information from further dissemination, inappropriate or unauthorized use, and/or disclosure,” KDADS maintained in its statement.
“KDADS apologizes sincerely to the consumers affected for any distress or inconvenience this may cause,” the Department continued. “KDADS is undertaking an immediate review of policies and procedures relevant to preventing a similar situation from occurring.”
KDADS Director of Communications Angela de Rocha told KCUR that all recipients of the email were contacted and advised to either delete or destroy the email. Recipients were also asked to shred any printed copies.
KDADS urged concerned individuals who were possibly impacted to place a security freeze on their credit reports or place a fraud alert on their credit reports. Individuals can also order a free copy of their credit report to review for any potential malicious activity.
Business associate employee falls for phishing scam
A phishing scam led to potential PHI exposure at an Illinois-based business associate.
Flexible Benefit Service Corporation (Flex) works with insurance brokers, employers and insurance carriers, and learned on December 6, 2017 that phishing emails were being sent from an employee’s account.
“We have determined the Flex employee was the victim of a phishing attack that resulted in their email account credentials being used by unknown individual(s) to gain unauthorized access to the employee’s email account,” Flex said in an online statement. “The investigation shows that the unknown individual(s) searched the email account for emails or attachments containing terms such as ‘wire transfer,’ ‘wire payment,’ and ‘invoice’.”
That type of information is typically not in that employee’s email account, the business associate added. Even so, Flex said it cannot guarantee that certain information was not accessed through the email account.
OCR’s data breach reporting tool states that 5,123 individuals may have been impacted.
Flex stated that the information involved varied, but did include names, addresses, phone numbers, Social Security numbers, and dates of birth.
The incident was isolated to a single Flex employee email account, and the rest of the business associate’s systems were not affected.
Flex added that it will be offering complimentary credit monitoring and identity theft recovery services.
“Flex is committed to enhancing its ongoing employee training designed to help them identify and properly report potential email phishing scams,” the organization explained.