The Idaho Department of Health and Welfare revealed Thursday that the information for 2,060 clients who used some state programs was compromised by a phishing attack against one of the agency’s contractors.
The breach was not directly targeted at Department of Health and Welfare patients but was part of a larger attack against OS Inc., the claims service provider for a number of the department’s programs. Thousands of people who had used the department’s Infant Toddler Program and Mental Health Services program in the past were notified by mail last week that their information was included in the breach.
An OS Inc. news release stated that it discovered in February that an employee email had been compromised by a phishing email scam between October and December. A phishing attack involves sending an email that tricks the victim into clicking on a link or download, which allows the attacker to access their computer through the email account. Idaho Department of Health and Welfare was among the five healthcare providers affected by the breach.
“At this time, there is no evidence of any actual or attempted misuse of the information accessible within the email account. No financial account information was impacted as a result of this event,” the release said.
The compromised data for the Department of Health and Welfare programs included services provided between Oct. 7, 2016, and Sept. 26, 2017. Information in the breach included the names, Social Security numbers, addresses and clinical procedure details for the clients but not their credit or debit card information.
IDHW spokeswoman Niki Forbing-Orr said the department had temporarily stopped its billing with OS Inc. after first being alerted to the breach in March but has since restored its business dealing with them.
“We take the issue of cybersecurity very seriously. We are now working with OS to go over their policies and procedures to prevent these incidents,” Forbing-Orr said.
OS Inc. partnered with the cybersecurity company Kroll to offer free identity theft monitoring and fraud consultation to anyone impacted by the attack. Kroll is the same company that investigated an attack by a Trojan virus that targeted usernames from Idaho Falls School District 91 in November.
People looking for more details about the potential impact of this breach for them are encouraged to contact OS Inc. directly by calling one of its toll-free assistance lines at 1-866-775-4209 or 1-800-273-7604.