(WBNG) — Broome County is announcing recent developments into an investigation into an early 2019 data breach, which may have put Social Security numbers, bank account information, and medical records at risk.
According to a release sent from Wayne, Pennsylvania law firm Mullen Coughlin LLC on behalf of Broome County late Friday afternoon, the county was made aware on January 2, 2019 of changes made to the direct deposit information of a county employee, sparking an investigation by the county’s internal information technology team. 12 News previously reported on the incident on January 3.
The investigation determined that several county employees’ email and PeopleSoft accounts had unauthorized access due to a “credentials harvesting phishing email.”
Broome County and a leading computer forensics expert determined the unauthorized individual accessed the employee account between November 20, 2018 and January 2, 2019.
On April 1, after reviewing the accounts, it was determined by the county that the affected accounts contained sensitive information and identified the individuals who may have been impacted by the breach.
The county determined that the following departments were impacted by the incident, according to the county:
In the release from Mullen Coughlin, lawyers say Broome County believes the unauthorized actor possibly had access to the information from individuals who are associated with or received care from the above departments.
“The data at risk includes the following types of information: name, contact information, Social Security number, bank account or other financial information, date of birth, medical record number, patient identification number, medical and/or clinical information including diagnosis and treatment information, health insurance and claims information, and credit card information for one impacted individual,” Mullen Coughlin LLC added in the release.
The notice went on to explain the only information confirmed to have been accessed or viewed was direct deposit information from some county employees. It cannot confirm whether any other specific information within the affected accounts was actually viewed without permission, the notice explains.
12 News previously reported on the breach in January, after the county announced some county employees had their direct deposit information compromised.
A spokesperson for Broome County Executive Jason Garnar told 12 News late Friday afternoon had the notice sent out because federal and state law requires the county send out a public notice after the second-level of the investigation.
The county says the notification of the breach is out of caution for anyone whose information was available in the email accounts.
The county is working to provide additional safeguards and security measures to beef up security of patient information. These procedures include multi-factor authentication and training for employees to prevent similar breaches in the future.
A phone line was established by the county to help individuals seeking information about the incident. Those who would like more information may call 1-866-775-4209 from 9 a.m. to 6:30 p.m. Monday through Friday.
The county also listed some steps you can take to protect your personal information, which can be found by clicking here.