GRAND RAPIDS — After a county employee’s email was hacked, personally identifying and protected health information of those receiving services from Itasca County might have been compromised.
Itasca County Health and Human Services, or HHS, is notifying affected people of the situation, according to a Tuesday, June 26, news release. But with the assistance of investigators, county officials also said they believe the information has not been inappropriately used at this time.
Eric Villeneuve, the director of Itasca HHS, said the leak involved information tied to approximately 1,675 people. The hack originated with a phishing email in which the sender pretended to be a services provider with whom the county regularly works, he said.
“We weren’t able to identify the person who was behind the phishing attack, but we were able to identify what email it did come from,” Villeneuve said during a phone interview.
In April, a health and human services employee’s email account began sending unauthorized spam emails. Itasca HHS started an investigation of the incident with the assistance of a nationally recognized digital forensics team, according to the county, to further understand what happened and whether there was unauthorized access to the email box.
On April 28, 2023, Itasca HHS determined there was intermittent unauthorized access to the employee’s email account between April 7-11, 2023. The contents of the email box appeared to have been copied by the unauthorized actor. After reviewing the contents of the email box, county officials established what information may have been involved, who may have been affected and where those people reside.
The affected data varied, but included information maintained to help provide services to the people of Itasca County including an individual’s name or partial name, together with some or all of the following kinds of information: address, date of birth, Social Security number, and information regarding services provided to individuals and/or paid for by Itasca HHS, such as provider names, locations of service, dates of service, case numbers or unique identifiers related to services provided by Itasca HHS, demographic or family referral information, and/or insurance or billing information.
The information may have also included insurance identification number, information regarding physical, medical or mental health conditions, diagnoses and/or treatment, medications, or information related to substance use. For one individual, a driver’s license number was also impacted.
Investigators also searched “dark web” sources and found no indication any of Itasca County’s data was released or offered for sale because of this incident. At this time, Itasca HHS has no indication that any of the information has been inappropriately used by anyone, according to the county.
“We weren’t able to identify the person who was behind the phishing attack, but we were able to identify what email it did come from."Eric Villeneuve, Itasca HHS director
As a precautionary measure, Itasca HHS urged people to take steps to protect personal information by remaining vigilant to the possibility of fraud and identity theft. This includes reviewing and monitoring their Explanation of Benefits forms for any unauthorized activity, the county stated.
If someone’s Social Security number or driver’s license was involved, Itasca HHS is offering credit monitoring services at no cost to the affected individual. Any unauthorized or suspicious activity should be reported immediately to the appropriate authorities, including local law enforcement, according to the county.
In addition, consistent with its compliance obligations and responsibilities, Itasca HHS is providing notice of this incident to the U.S. Department of Health and Human Services and all appropriate state regulators.
“The privacy and security of the information we maintain is very important to the Itasca HHS, and we remain committed to doing everything we can to maintain the confidentiality of such information,” Villeneuve stated in the release.
“Itasca HHS wants to make sure an incident like this does not happen again, so it has taken a number of steps to change the way it protects information and has enhanced its security procedures.”
All county employees receive training on cybersecurity matters, Villeneuve said, and do receive randomized, simulated phishing emails throughout the year to test recognition. Those employed in Health and Human Services must complete additional training through the state of Minnesota on how to handle information securely.
Asked to provide further details on steps in process to prevent future breaches, Villeneuve said the county intends to enhance training to include greater focus on recognizing phishing attempts. The county is also limiting outside access to its network and is working with a third-party vendor on incident response planning and cybersecurity testing services.
“I do know that we want to make sure that everyone takes training and … we’re attempting to make sure that that’s beefed up, too, as well, even though we had it in place prior to this happening,” Villeneuve said.
The breach and the county’s response did not result in any additional spending by the county. Villeneuve said the costs associated with the investigation and credit monitoring for affected individuals are covered by the county’s insurance policy with the Minnesota Counties Intergovernmental Trust.
