BY CHUCK VANDENBERG
FORT MADISON – An email from the Iowa Department of Human Services being sent to 820 families in the state is indicating the DHS email system has been compromised by hackers.
According to a letter obtained from Wendy Rickman, administrator of Adult, Children and Family Services Division at DHS, families were being informed about the possibility that “your personal information may have been exposed” and given information on what happened and what can be done if you think your identity has been used by another person.
The letter said DHS was a target of a phishing email campaign on Aug. 23, 2017, where hackers masked their identities and sent very carefully designed phishing emails to employees which appear as if they were sent from another trusted DHS employee.
Several calls to the state DHS offices went unreturned Friday afternoon. A representative at the Des Moines County DHS office referred the issue to the state offices. A call to Matt Highland, the interim public information officer for DHS went unreturned. He did however send an email with a press release made available on Oct. 20 through the state website at www.dhs.state.ia.us.
In the press release, the department indicated “the hackers potentially accessed Protected Health Information (PHI) for 820 individuals during the timeframe before passwords were changed. At this time, DHS does not have any evidence to indicate the hackers actually accessed any of the exposed emails.”
“As a result, nine DHS employees provided their passwords, which gave the hackers access to their email accounts.” Rickman wrote in her letter, a copy of which was emailed to families suspected of having compromised personal data. The nine employees were required to re-take the annual confidentiality training sessions which include detailed information about phishing emails and password protection.
“Fortunately, the campaign was discovered the same day the phishing email was sent to DHS, and the employees changed their passwords as soon as possible to block access to their email accounts and to minimize the potential for confidential information to be exposed. All DHS employees were quickly alerted to the phishing email campaign to prevent access to additional email accounts. At this time, DHS does not have any evidence to indicate the hackers actually accessed any of the exposed emails.”
The letter indicated that a “large” number of emails sent to and from DHS are encrypted and those communications would not have been subject to the hackers protocols, but unencrypted emails do exist and DHS staff is reacting to those emails.
“As a security measure, we reviewed all unencrypted email that may have been accessed and viewed to identify specific individuals whose confidential information may have been exposed. Any individuals whose Protected Health Information (PHI) or Personally Identifiable Information (PII) may have been compromised are being notified,” Rickman wrote.
Types of Information Involved:
The following types of information were included in the emails:
Name • Social security number
Address • Driver’s license number
Date of birth • Bank account information
Medical information • Medicaid eligibility, Medicaid ID number
Mental health information • Substance abuse information
The letter goes on to specify how to take advantage of free credit reporting services for one year.
“As a safeguard, we have arranged for you to enroll, at no cost to you, in an online credit monitoring service for one year provided by TransUnion Interactive, a subsidiary of TransUnion®, one of the three nationwide credit reporting companies. This service will be available to you for enrollment from October 23, 2017 through January 31, 2018 only. If you wish to access this service, you need to call the Iowa Concern Hotline at 1-800-447-1985 for enrollment instructions. This hotline is available Monday through Friday between the hours of 8:00 a.m. and 8:00 p.m., excluding federal and state holidays.”