Emily Scott reports: The City of Philadelphia has released an update on an investigation into a data breach that left some employee email accounts accessible to unauthorized individuals. The incident,�initially identified in march 2020,�was the result of an employee�s email account that was exposed due to a phishing attack. The transgress impacted people receiving services from the department of Behavioral Health and Intellectual handicap Services, as well as Community Behavioral Health, a nonprofit contracted by the city to dispense the behavioral health Medicaid program, HealthChoices. read more on WHYY. The text of the city’s press release of May 27 follows: PHILADELPHIA ��The city of Philadelphia (the �City�) announced today an update on its investigation into a surety incident that may have permitted multiple employee email accounts to be accessed by unauthorized individuals. This update relates to the incident initially reported on June 1, 2020, which impacted individuals served by the department of Behavioral Health and Intellectual disAbility Services (�DBHIDS�) and its business associate, Community Behavioral Health (�CBH�) (posted�online here). CBH assists DBHIDS in administering the behavioral health Medicaid program (HealthChoices) for the Philadelphia region. The City�s investigation since the initial story revealed that the incident impacted email accounts utilized by additional City departments. On march 31, 2020, DBHIDS learned that an employee�s email account had been compromised as a result of a phishing attack. The Office of Innovation and Technology�s info Security group (�OIT�) immediately secured the account and began an investigation. Following this initial discovery, OIT discovered multiple additional DBHIDS and CBH accounts that were compromised as part of the attack. The password for each account was changed promptly upon discovery. The City�s investigation efforts experience confirmed that the DBHIDS and CBH accounts were subject to unauthorized access intermittently between mar 11 and November 15, 2020. The investigation further confirmed that additional city departments� accounts were intermittently subject to unauthorized access between the start of this incident and january 2021. This assault is believed to be connected to a series of malicious attacks that targeted health care and social services agencies during the COVID-19 global pandemic. To date, the investigation has been unable to confirm whether any unauthorized persons have viewed any emails or attachments in the compromised accounts. The DBHIDS and CBH accounts contained demographic and health-related information of individuals receiving services and supports through DBHIDS and CBH, including: Names, dates of birth, addresses; account and/or medical register numbers; Health insurance information; Clinical information such as diagnosis, dates of service, provider names, and description of services the individual has applied for or was receiving; and For a limited number of individuals, scans of birth certificates, driver�s licenses, and/or Social Security cards. The city continues to brushup the information pose in the remaining departments� accounts but believes that such info may include a unify of personally identifiable info such as names, dates of birth, addresses, driver�s license numbers or state recognition numbers, and social Security numbers. last August, DBHIDS began sending individual notification letters to affected individuals, and in those letters, offered complimentary credit and identity monitoring services. Since August, DBHIDS has continued to send notification letters, and offer these services as the identities and addresses of individuals whose info may get been exposed were determined. Similarly, after CBH�s investigation concluded in March, CBH began sending out notice letters to the individuals potentially impacted in the incident. DBHIDS and CBH posted reserve observation of the incident on their websites on June 1, 2020 and have continued to supply updates as the investigation progressed. The City is in the outgrowth of sending direct notifications to individuals identified through its review of the remaining departments� accounts. The City encourages everyone to routinely remain vigilant against incidents of indistinguishability theft and fraud by regularly reviewing bank account and credit card statements and monitoring health insurance claims or service authorization history for suspicious activity. The city has made significant security improvements in response to this incident and the increasing cyber threats to local governments. To better protect against future incidents, the city has increased monitoring of network activity and implemented additional tools to enhance email security such as expanding multi-factor authentication to cover all of City email accounts. As piece of its ongoing dedication to info privacy and security, the City has also updated its security policies and procedures and continues to school users on how to identify and invalidate malicious emails. Individuals served by DBHIDS with questions or concerns can call 1-855-763-0063 for more information. CBH members can call 1-833-664-2001 for more information. Individuals who are not associated with DBHIDS or CBH but get direct notice of this incident will receive tangency info to utilize for further questions regarding this incident.
