A phishing attack on Manitowoc County in Wisconsin potentially breached personal healthcare information for about three months.
Officials discovered the breach on April 24; however, the hackers began accessing a Manitowoc County email account “on or around” Jan. 14. The hacked email account was immediately secured, but the unauthorized access went on for about three months.
During the event, the cybercriminals diverted emails sent to the impacted account to a different email account to which the county did not have access, officials said. The investigation couldn’t rule out a breach, nor did officials determine whether the data was misused or sold.
The breached data included demographic and health information for all individuals who received health services through the county, including insurance details, prescriptions, diagnoses, client ID numbers and other medical information. This type of information is often used by cybercriminals for medical fraud.
Officials did not specify how many individuals were included in the breach, and it’s not yet listed on the Department of Health and Human Service breach portal. Officials said all impacted individuals have been notified.
The length of time until discovery is notable and highlights the need for all organizations to ensure they have proper ID and access management in place that would allow IT to better detect any unauthorized access or abnormal activity on the network, such as the diverted emails.
Especially as healthcare and government entities have continued to be targeted by hackers this year, security monitoring is crucial. In March, a ransomware attack on the city of Atlanta shut down the city for a number of days and cost the city millions to recover.