The Iowa Department of Health and Human Services (HHS) in the US confirmed on Tuesday that the personal data of 20,800 Iowans who receive Medicaid was exposed due to a cyber-attack.
According to the department, the Iowa Medicaid system itself was not compromised. Instead, the breach was due to an attack on a contractor’s computer systems that occurred between June 30 and July 5 2022.
The contractor, Telligen, performs annual assessments for Medicaid members. The company, in turn, subcontracted part of that work to Independent Living Systems (ILS), which was the firm compromised in the attack.
“Disclosure of this breach took far too long. Eight months passed between ILS detecting the breach and Iowa HHS informing victims,” said Paul Bischoff, consumer privacy advocate at Comparitech.
“A lot of damage could have already been done. Criminals could use the breached info for identity theft, Medicaid fraud and phishing, among other attacks.”
Data exposed in the breach included names, Medicaid details and other sensitive information.
“While it’s always concerning when an organization has a data breach, when the information that is lost is medical in nature, it can be even more of an issue,” commented Erich Kron, security awareness advocate at KnowBe4.
According to the security expert, the loss of medical information can easily be used to steal someone’s identity, and social engineers can use the data to target victims by referencing information they believe is private.
“This allows attackers to gain trust with the victims much more quickly,” Kron explained.
Read more on healthcare data protection here: #HowTo: Protect Healthcare Providers' Data
Also commenting on the news, Chris Hauk, consumer privacy advocate at Pixel Privacy, urged customers to take advantage of the free credit monitoring and the free credit report.
“They should also manually keep an eye on their accounts while also staying alert for any phishing attempts from the bad guys,” Hauk added.
The ILS incident comes almost three years after an Ohio Medicaid provider suffered a data breach.