June 15, 2020
Posted 6/1/20, Updated 6/15/20
The Department of Behavioral Health and Intellectual disAbility Services (“DBHIDS”) is posting this notice to alert individuals that their personal health information may have been compromised as a result of a cybersecurity attack. This incident may impact individuals served by:
- the Division of Intellectual disAbility Services (“IDS”) which coordinates and administers home and community habilitation, adaptive equipment, behavior and other therapies, early intervention, and residential, respite, employment, and day services for individuals with intellectual disabilities in Philadelphia; and
- Community Behavioral Health (“CBH”), a business associate of DBHIDS which assists DBHIDS in administering the behavioral health Medicaid program (HealthChoices) for the Philadelphia region.
On March 31, 2020, DBHIDS learned that an IDS employee’s email account had been compromised as a result of a phishing attack. The Office of Innovation and Technology’s Information Security Group (“OIT”) immediately secured the account and began an investigation. OIT learned that several additional accounts were compromised: an IDS account discovered April 2, a CBH account discovered on April 15, and a DBHIDS account discovered on April 20. Each account was secured immediately upon discovery. OIT’s investigation is ongoing and additional DBHIDS and CBH accounts are being reviewed to determine whether they were also compromised. These attacks are believed to be connected to a series of malicious attacks targeting health care and social services agencies during the COVID-19 global pandemic.
To date, the investigation has been unable to confirm whether unauthorized persons have viewed any emails or attachments in the compromised accounts. The accounts contained demographic and health-related information of individuals receiving services and supports through DBHIDS and CBH, including: names, dates of birth, addresses, account and/or medical record numbers, Social Security numbers, health insurance information, clinical information such as diagnosis, dates of service, provider names, and description of services the individual has applied for or was receiving. For a limited number of individuals served by IDS, the accounts also contained scans of birth certificates, driver’s licenses, and Social Security cards.