August 22, 2018
More than 258,000 people have had their private health information, private identification information and/or tax information available online because of a data safety incident in Adams County, Wisconsin.
A possible safety breach was found on March 28, 2018 after doubtful activity was noted on the Adams County computer system and network. An inquiry was kicked off to decide whether any confidential data had been retrieved and on June 29, a data breach was verified to have happened.
Some proof has been found that means PHI and PII has been retrieved and possibly downloaded by an illegal person. 258,102 people have possibly been impacted.
The disclosed data was obtained between January 1, 2013 and March 28, 2018 and were stored on the systems used by the divisions of Health and Human Services, Adams County Employees, Extension Office, Veteran Service Office, Child Support, Solid Waste, and the Sheriff’s Office.
A criminal inquiry has been started into the breach and the suspect(s) have been barred from retrieving the whole Adams County network and accounts have been deactivated pending a detailed investigation.
As informed by TV station WAOW, the main suspect appears to be Adams County Clerk, Cindy Phillippi. Efforts are presently in place to have Phillippi removed from office.
A Confirmed Statement of Charges has been submitted against Phillippi who is supposed to have installed a keylogger on the network – a type of malware that logs all keystrokes entered on computers to record passwords and other confidential information. The keylogger was loaded onto virtually all computers possessed by the county.
Phillippi has been charged with the illegal retrieving of private computer records, seeing unapproved checking accounts, deleting records, accessing the Health and Human Services building without official permission, sharing private information with a former worker, and deceiving an inquiry into her actions. Phillippi’s laptop has been taken and is being forensically scrutinized. Phillippi has not yet been accused of any cybercrimes.
Phillippi has rejected most of the claims and says she asked to be given access to private records to study a doubted case of pornography access by a division head. She also asserted that she didn’t log in to the system and that other people had used her computer. The case is due to be heard by the Board of Supervisors on September 19.
Measures have already been taken to increase safety and halt any more breaches. The county has discussed with many different units to detect possible vulnerabilities, safety upgrades have been finished, and the County is working on improving its checking capabilities.
The County is presently looking into a long-term solution to increase safety, even though in the meantime software control methods that had been manipulated have been switched off and administrative controls for the system and data access have now been placed in the control of one person.
Warnings will be issued to all people whose PHI, PII, or tax information was disclosed.