Nmedia - Fotolia
The agency said it became aware of the incident on 20 November 2017, five days after an employee “was the victim” of the phishing email, reports The Associated Press.
Cyber criminals are increasingly targeting medical information stores because of the wealth of personal information they provide that can be used for identity theft, fraud and related crimes.
Phishing emails are commonly used by cyber criminals to trick employees of a target organisation into launching malware that is designed to steal credentials to give attackers access to IT systems.
The breach was reported to the Inspector General, who ordered an investigation. The agency issued a warning after preliminary findings of that investigation indicate that confidential medical information including names, addresses, dates of birth, diagnoses and medical conditions of up to 30,000 Medicaid patients may have been accessed.
The agency said that no other systems or email accounts were involved, adding that it considers the breach as a very serious matter and is notifying all those Medicaid patients who are potentially affected.
“Prior to the review, the employee changed their login credentials to stop inappropriate access,” the agency said in a statement. “Although the review is ongoing, the agency believes that only approximately 6% of these individuals could be confirmed as having their Medicaid ID or social security numbers potentially accessed.”
Read more about phishing
- Phishing is no longer just a consumer problem, say experts. The scams are hurting companies’ reputations and bottom lines.
- Email is the number one entry point for data breaches, which includes targeted email attacks such as business email compromise and spear phishing.
- Targeted malware attacks and social engineering schemes such as phishing and whaling pose a growing security threat because cyber criminals are getting help from unwitting users.
Although the agency said there is currently “no reason to believe” that the information has been misused, it is offering those affected by the breach a year’s free credit monitoring and set up a support hotline.
The agency said it has taken steps to protect personal information, including a full review of the breach and “new and ongoing security training” for employees, and is exploring additional security options to protect against further breaches.
Security advisors say organisations need to recognise that technical controls alone are not enough to counter phishing attacks and that security awareness is an essential component.
Many organisations conduct regular phishing simulations to “test” employees and measure behavioural change.