KY. data breach affects 2,500
The Cabinet for Health and Family Services is informing approximately 2,500 clients by letter of a possible employee email account breach that may have resulted in the unintentional release of information held by the Cabinet’s Department for Community Based Services (DCBS).
According to a statement posted on the Frankfort, Ky.-based organization’s website, in July, a DCBS employee responded to a “phishing” email sent by a hacker. Unauthorized activity on the account was identified within a half hour and the account was immediately disabled. There is no evidence that the confidential contents of the email account were accessed or viewed, but the hacker did have access to the email account for a brief period. Data about the individuals being notified was included in the National Youth Transition Database monitoring those in the process of or who have recently aged out of the foster care system.
“In all likelihood, the hacker intended to access the state government email server to send spam emails and did not access or view client information,” said Rodney Murphy, executive director of the Office of Administrative and Technology Services.
Health information on diagnoses and Social Security numbers were not on the database but names, addresses and other identifying codes were.
Since the Aug. 2009 Breach Notification rule requiring that HIPAA-covered entities provide notification following a data breach involving 500 individuals or more, the state of Kentucky has experienced 14 data breaches involving the personal health information of more than 76,000 patient records.
According to a statement posted on the Frankfort, Ky.-based organization’s website, in July, a DCBS employee responded to a “phishing” email sent by a hacker. Unauthorized activity on the account was identified within a half hour and the account was immediately disabled. There is no evidence that the confidential contents of the email account were accessed or viewed, but the hacker did have access to the email account for a brief period. Data about the individuals being notified was included in the National Youth Transition Database monitoring those in the process of or who have recently aged out of the foster care system.
“In all likelihood, the hacker intended to access the state government email server to send spam emails and did not access or view client information,” said Rodney Murphy, executive director of the Office of Administrative and Technology Services.
Health information on diagnoses and Social Security numbers were not on the database but names, addresses and other identifying codes were.
Since the Aug. 2009 Breach Notification rule requiring that HIPAA-covered entities provide notification following a data breach involving 500 individuals or more, the state of Kentucky has experienced 14 data breaches involving the personal health information of more than 76,000 patient records.