Over 258,000 people have had their personal health information, personal identification information and/or tax information accessible online due to a data security incident in Adams County, Wisconsin.
A possible security breach was discovered on March 28, 2018 after suspicious activity was noticed on the Adams County computer system and network. An investigation was kicked off to determine whether any sensitive data had been accessed and on June 29, a data breach was confirmed to have taken place.
Some proof has been found that implies PHI and PII has been accessed and potentially downloaded by an unauthorized person. 258,102 individuals have potentially been impacted.
The exposed data was obtained between January 1, 2013 and March 28, 2018 and were stored on the systems utilized by the departments of Health and Human Services, Child Support, Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, and the Sheriff’s Office.
A criminal investigation has been initiated into the breach and the suspect(s) have been blocked from accessing the entire Adams County network and accounts have been disabled pending a thorough investigation.
As reported by TV station WAOW, the prime suspect seems to be Adams County Clerk, Cindy Phillippi. Attempts are currently in place to have Phillippi removed from office.
A Verified Statement of Charges has been submitted against Phillippi who is believed to have installed a keylogger on the network – a form of malware that logs all keystrokes entered on computers to record passwords and other sensitive information. The keylogger was loaded onto almost all computers owned by the county.
Phillippi has been accused of the unauthorized accessing of confidential computer records, viewing unauthorized checking accounts, removing records, accessing the Health and Human Services building without authorized permission, sharing confidential information with a former employee, and misleading an investigation into her actions. Phillippi’s laptop has been taken and is being forensically examined. Phillippi has not yet been charged with any cyber crimes.
Phillippi has denied most of the claims and says she asked to be given access to confidential records to review a suspected case of pornography access by a department head. She also alleged that that she did not login to the system and that other people had used her computer. The case is due to be heard by the Board of Supervisors on September 19.
Measures have already been put in place to enhance security and stop any further breaches. The county has consulted with several different entities to identify possible weaknesses, security upgrades have been completed, and the County is working on improving its monitoring capabilities.
The County is currently looking into a long-term solution to enhance security, although in the meantime software control mechanisms that had been manipulated have been switched off and administrative controls for system and data access have now been placed in the control of one person.
Alerts will be issued to all individuals whose PHI, PII, or tax information was exposed.