Manitowoc County in Wisconsin fell victim to a phishing attack resulting in the theft of protected health information (PHI). The phishing incident happened on or close to January 14, 2018, but Manitowoc County only discovered the data breach on April 24.
The individual behind the attack had set up a redirect on the email account and all messages sent to the account were directed to another email account, which is not accessible to Manitowoc County staff. While PHI has been obtained by an unauthorized individual, no reports have been received to suggest any PHI has been misused.
The stolen information includes names, phone numbers, addresses, email addresses and birth dates, health data, insurance details, medications, diagnoses, treatment related data and client ID numbers. Manitowoc County has sent notification letters to the individuals affected by the phishing attack.
Manitowoc County has warned breach victims of the risk of phishing emails claiming to be from Manitowoc County. County officials stated they will not ask patients to provide personal information via email or telephone about this incident. Individuals impacted by this attack have also been told to be wary of any email containing attachments and hyperlinks and to be alert to the risk of phishing and that they should not disclose sensitive information to anyone over the phone.
Manitowoc County has now taken further steps to improve its security controls and new protocols have been developed to reduce the potential for further successful phishing attacks. Employee training will also be enhanced to raise awareness of the risk of phishing.
Manitowoc County had not disclosed to the public how many individuals were impacted by the incident and the data breach is not yet listed on the breach portal of the Department of Health and Human Services’ Office for Civil Rights.