The Cabinet for Health and Family Services is informing approximately 2,500 clients by letter of a possible employee e-mail account breach that may have resulted in the unintentional release of information held by the Cabinet's Department for Community Based Services (DCBS).
In July, a DCBS employee responded to a "phishing" e-mail sent by a hacker. Unauthorized activity on the account was identified within a half hour and the account was immediately disabled. While there is no evidence that the confidential contents of the e-mail account were accessed or viewed, the hacker did have access to the e-mail account for a brief period. Data about the individuals being notified was included in the National Youth Transition Database monitoring those in the process of or who have recently aged out of the foster care system.
"In all likelihood, the hacker intended to access the state government e-mail server to send spam e-mails and did not access or view client information," said Rodney Murphy, executive director of the Office of Administrative and Technology Services. "However, out of an abundance of caution, we are notifying clients who might have been affected by this incident. The Cabinet and DCBS take our role of safeguarding the personal information of those we serve very seriously and have increased awareness activities for staff to help protect against future issues of this kind."
The Cabinet is required to notify clients individually of any potential breach involving more than 500 individuals by the federal Health Insurance Portability and Accountability Act, more commonly known as HIPAA. Individuals who believe their information may have been involved or who need additional information should contact Sharon Hilborn by e-mail at SharonK.Hilborn@ky.gov or by phone at (502) 564-3703, ext. 3795.