An Iowa medical billing and reimbursements services company is boosting its cybersecurity after suffering a ransomware attack.
An unknown threat actor hit Timberline Billing Service LLC with malware between February 12 and March 4, 2020. After gaining access to the company's network, the attacker encrypted files and removed information.
Timberline said it was unable to determine precisely what data was exfiltrated, but a review of the files that could have been accessed concluded that current and former students in schools served by the company may have been impacted.
Timberline, which is based in Des Moines, provides services to around 190 schools in Iowa. The security incident was reported to the Department of Health and Human Services’ Office for Civil Rights as a data breach affecting up to 116,131 individuals.
Data accessed by the attacker may have included students' names, dates of birth, Medicaid identification number, and related billing information.
Social Security numbers may also have been accessed in what Timberline described as "very limited instances."
Iowa City Community School District leaders said the ransomware attack "did not involve any access to District’s internal systems or student records."
Timberline started contacting students in Iowa on October 20 to notify them of “a privacy incident that may have involved some of their information.”
While the company says it hasn't yet unearthed any instances of student data being misused, Timberline is offering all students impacted by the incident free credit monitoring and identity protection services.
A toll-free call center has been established by Timberline to support impacted students and their parents.
Company officials said action was being taken to improve Timberline's security systems to prevent a similar attack from happening in the future. Among the steps being implemented were firewall and server upgrades, migrating school and student data to a cloud location, resetting all user passwords, and requiring frequent password rotations.
Other Iowa organizations impacted by malware this year include UnityPoint Health and Iowa State Foundation, both of which suffered a data breach when their third-party vendor Blackbaud was attacked with ransomware in May.