Manitowoc County in Wisconsin suffered a phishing attack which resulted to protected health information (PHI) being stolen. The phishing attack most likely took place on January 14, 2018, however Manitowoc County just found out about the incident and security breach on April 24. Steps to secure the email account was quickly undertaken to keep the attacker from further accessing the account. He already had approximately two-months access to the account and opportunity to steal sensitive data held in the email account.
During the time the attacker accessed the email account, any message sent to the account were forwarded to one more email account that Manitowoc County do not have access to. County officials did not get any report that indicate improper use of the data held in the email account. Even so, there is no guarantee that the hacker didn’t sell or use the sensitive data for fraudulent acts.
The information stolen by the hacker included names, addresses, email addresses, phone numbers and dates of birth. The attacker likewise took the data of those who obtained services from Manitowoc County like their health information, diagnoses, prescription medications, treatment related data, insurance details and client ID numbers.
Manitowoc County did not reveal to the public yet the number of persons affected by the phishing attack and the breach is not yet posted on the Department of Health and Human Services’ Office for Civil Rights breach portal. However, Manitowoc County had sent the notification letters to the persons affected by the security breach.
Manitowoc County cautioned the breach victims that they might get phishing emails that appear to be sent from the organization. County officers mentioned they do not ask for personal data over the phone or via email from any individual affected by the breach. The victims also received the advise to be careful when opening emails or clicking the links in them. They should avoid disclosing sensitive data to any person over a phone call.
Since the incident, Manitowoc County had taken extra steps to enhance the safety controls and establish new policies. Technological solutions and supplemental employee training had been employed to prevent breaches such as this incident from happening again in the future.