The Iowa Department of Health and Human Services (HHS) in the United States confirmed Tuesday that a cyberattack exposed the personal data of 20,800 Iowans who receive Medicaid.
The Iowa Medicaid system itself was not compromised, according to the agency. Instead, the breach was due to an attack on the contractor’s computer system that occurred from 30 June to 5 July 2022.
The contractor, Telligen, conducts annual assessments of Medicaid members. The company then subcontracted some of that work to his Independent Living Systems (ILS). ILS is the company compromised in the attack.
“Disclosure of this breach took too long. Eight months passed between ILS detecting the breach and Iowa HHS notifying the victim,” said Comparitech Consumer Privacy Advocate. As one Paul Bischoff puts it:
“A lot of damage could have already been done. Criminals could use compromised information in attacks such as identity theft, Medicaid fraud, and phishing.”
Data exposed in the breach included names, Medicaid details, and other sensitive information.
KnowBe4 Security Awareness Advocate Erich Kron commented:
Security experts say the loss of medical information can easily be used to steal someone’s identity, and social engineers use the data to target victims by referencing information they believe to be personal. can be
“This allows the attacker to gain trust with the victim more quickly,” explains Kron.
For more information on healthcare data protection, see #HowTo: Protect Healthcare Provider’s Data.
Also commenting on the news, Chris Hauk, consumer privacy advocate for Pixel Privacy, urged customers to take advantage of the free credit checks and free credit reports.
“They also need to manually monitor their accounts while keeping an eye out for phishing attempts from bad actors,” added Hauk.
The ILS incident comes almost three years after an Ohio Medicaid provider suffered a data breach.
