A data security breach has occurred in Adams County, Wisconsin where the personal identification information, personal health information and/or tax details of over 258,000 people was exposed and potentially stolen. Adams County discovered questionable activity on its computer system on March 28, 2018, which prompted an investigation to find out if sensitive information was accessed. The investigators confirmed a data breach had occurred on June 29, 2018.
The investigators determined that an unauthorized person accessed PHI and PII and some evidence suggests that the information was stolen. These data were collected from January 1, 2013 to March 28, 2018 and were kept in the computer systems used by the departments of Health and Human Services, Veteran Service Office, Child Support, Extension Office, Solid Waste, Adams County Employees and the Sheriff’s Office.
Adams County officials have confirmed that a criminal investigation into the breach has been launched and that it is ongoing. This is an insider breach and all accounts used by the suspect(s) have been suspended while the investigation is conduced.
According to the television station WAOW, the primary suspect is Cindy Phillippi – The Adams County Clerk. The County Clerk is an elected position. Efforts are underway to have Phillippi removed from office over the breach.
While Phillippi has not yet been charged, a Verified Statement of Charges has been filed. Phillippi has been accused of installing a keylogger on the Adams County network. A keylogger is a type of malware used to capture all keystrokes entered on computers. Virtually all computers belonging to the County had the keylogger installed.
Phillippi is facing the following charges: Unauthorized access of confidential computer records, deleting records, opening checking accounts without authorization, disclosing confidential data to an ex-employee, entering the Health and Human Services building with no authorization, and misleading an investigation.
Phillippi has not admitted wrongdoing, but she has said that she asked for access to confidential files in order to investigate a department head who was suspected of using a work computer to view pornography. She also claimed that she never logged into the system and other people had been using her computer. The Board of Supervisors will wear the case on September 19.
Adams County has already taken steps to improve security and avoid similar breaches. Several entities were consulted to identify potential vulnerabilities and security controls have been upgraded and its monitoring capabilities are in the process of being enhanced. In the meantime, software control mechanisms that were affected by the breach had been disabled. Only one person now holds the administrative controls for system. Affected persons whose PII, PHI or tax information was exposed will receive notifications soon.