The Department of Behavioral Health and Intellectual disAbility Services (“DBHIDS”) is posting this notice to alert individuals that their personal health information may have been compromised as a result of a cybersecurity attack. This incident may impact individuals served by DBHIDS or its business associate, Community Behavioral Health (“CBH”), which assists DBHIDS in administering the behavioral health Medicaid program (HealthChoices) for the Philadelphia region.
On March 31, 2020, DBHIDS learned that an employee’s email account had been compromised as a result of a phishing attack. The Office of Innovation and Technology’s Information Security Group (“OIT”) immediately secured the account and began an investigation. Following this initial discovery, OIT discovered multiple additional DBHIDS and CBH accounts that were compromised as part of the attack. The password for each account was changed promptly upon discovery. OIT’s investigation is ongoing and additional DBHIDS and CBH accounts are being reviewed to determine whether they were also compromised. As of the date of this posting, the City’s investigation efforts have confirmed that additional DBHIDS and CBH accounts were subject to unauthorized access intermittently between March 31 and November 15, 2020. These attacks are believed to be connected to a series of malicious attacks targeting health care and social services agencies during the COVID-19 global pandemic.