tw fb

Data Breach

Data Breach

NOTICE TO 

(1)        All Individuals from the Time Period of January 1, 2013 through March 28, 2018 had the below described information on the Adams County computer network and system;

(2)        All Individuals whose Personal Identification Information (PII); Personal health Information (PHI) and/or Tax Intercept Information (TII) was held on the Adams County computer network and system during the above time period;

(3)        All Individuals whose PII, PHI, and/or TII in the following departments on the Adams County Website, including Veteran Service Office, Extension Office, County Employees, Solid Waste, Health and Human Services, Child Support, and Sheriff's Office, during the above time period.

RE: NOTICE OF UNAUTHORIZED ACCESS AND/OR ACQUISITION OF PERSONAL IDENTIFICATION INFORMATION, PERSONAL HEALTH NFORMATION AND/OR TAX INTERCEPT INFORMATION FROM THE ADAMS COUNTY COMPUTER NETWORK AND SYSTEM

Dear Impacted Individuals:

            Adams County is writing to you with important information about unauthorized access and/or acquisition of Personal Identification Information (PII), Personal Health Information/Protected Health Information (PHI) and/or Tax Intercept Information (TII) on the Adams County computer system and network from the time period of January 1, 2013 through March 28, 2018. Pursuant to federal and state statutes, since Adams County has insufficient or out–of-date contact information for 10 or more of the impacted individuals described above, Adams County is providing the following notice to all impacted individuals through this Adams County website.

            At the present time, there is no indication that this information was acquired or used by any third party or that any identify theft has occurred as a result of this data and privacy breach. Nevertheless, as a precautionary measure, we recommend immediate steps be taken to protect yourself from any identity theft as a result of unauthorized access to your information during the breach. Please consider taking the following action:

(1) Register a fraud alert with the three credit bureaus listed here; and order credit reports:

Experian: (888) 397-3742; www.experian.com; PO Box 9532, Allen, TX 75013
TransUnion: (800) 680-7289; www.transunion.com; Fraud Victim Assistance Division, PO Box 6790, Fullerton, CA 92834-6790
Equifax: (800)525-6285www.equifax.com; PO 740241, Atlanta, GA 30374-0241

2)  Order your free annual credit reports.

Visit www.annualcreditreport.com or call 877-322-8228.  Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize.  Verify all information is correct.  If you have questions or notice incorrect information, contact the credit reporting company.

3)  Monitor bank, credit card and other account statements, explanation of benefits statements (EOBs), and credit reports closely. Be proactive and create alerts on credit cards and bank accounts to notify you of activity.

            If you detect suspicious activity for your authorized card(s), please consider cancelling your current card(s) and request issuance of new card(s) with new number(s).  If you detect suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. If you should discover any fraudulent activity of any suspected incidence of identity theft, please contact your law enforcement authority, your state attorney general and/or the Federal Trade Commission. To file a complaint with the Federal Trade Commission, visit their website at www.ftc.gov/idtheft and/or call 1-877-ID-THEFT (877-438-4338).

            On or about March 28, 2018, Schenck, who was conducting an information technology incident investigation, discovered questionable activity on the Adams County computer system and network. The investigation into the software as well as the computer system and network continued and the breach was confirmed in late June 2018. On June 29, 2018, Adams County received a comprehensive, forensic report from Schenck that Personal Identification Information, Personal Health Information/Protected Health Information and/or Tax Intercept Information for approximately 258,120 individuals whose information was present on the Adams County computer network and system in the following departments: Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, Health and Human Services, Child Support and Sheriff's Office from the time period of January 1, 2013 through March 28, 2018. There is evidence that there was unauthorized access of this information and/or unauthorized acquisition of this information. Unauthorized individual(s) obtained rights, users names and passwords by manipulation of certain software programs on the Adams County computer network and system that allowed them access to environments that were beyond their role and/or department. The access to PII, PHI and TII was beyond any authorized purpose to use, disclose or request such information.

            Steps that were taken include a criminal investigation of this data and privacy breach by law enforcement agencies has been initiated and is currently on-going. Suspect(s) have been identified during the course of the investigation and the suspect(s) no longer have any access rights to view the entirety of the Adams County computer network and system. Further steps were taken to remedy the unauthorized access and there is limited access to the Adams County computer system and network. The suspect(s) accounts have been suspended and the suspect(s) no longer have access to the system. All software control measures manipulated during the operative time period have been disabled. Access to control and/or authorize access to the involved departments has been restricted and placed in the control of one designated individual. A long term solution to prevent any future breaches is currently being examined and will be instituted as soon as feasible in light of current design and costs.

            What information was involved? Adams County is publishing this Notification on its website because your PII, PHI and/or TII appeared on the Adams County computer network and system during the operative time period of January 1, 2013 through March 28, 2018, had been breached. The Wisconsin statute, 134.98, defines Personal Identification Information (PII) as follows: an individual's last name and the individual's first name or first initial, in combination with one of the following, social security number, driver license number, account number or credit card or debit number or security/access code to permit access to financial account, DNA profile, or unique biometric data. HIPAA Protected health information (PHI) is any piece of information in an individual’s medical record that was created, used, or disclosed during the course of diagnosis or treatment that can be used to personally identify them. This includes a wide variety of identifiers and different information recorded throughout the course of routine treatment and billing. Collecting PHI is a necessary component of the health care industry, and it needs to be attended to with the proper safeguards. Below, we’ve listed the 18 types of information that qualify as PHI according to guidance from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). HIPAA protected health information includes information such as:

  1. Name
  2. Address (including subdivisions smaller than state such as street address, city, county, or zip code)
  3. Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
  4. Telephone number
  5. Fax number
  6. Email address
  7. Social Security number
  8. Medical record number
  9. Health plan beneficiary number
  10. Account number
  11. Certificate/license number
  12. Vehicle identifiers, serial numbers, or license plate numbers
  13. Device identifiers or serial numbers
  14. Web URLs
  15. IP address
  16. Biometric identifiers such as fingerprints or voice prints
  17. Full-face photos
  18. Any other unique identifying numbers, characteristics, or codes

            Internal Revenue Code Section 6103 defines Federal Tax Information as federal tax returns and return information(and information derived from it) that is in the agency's possession or control which is covered by the confidentiality protections of the Internal Revenue Code and subject of Internal Revenue Code Section 6103(p)(4). Internal Revenue Code Section 6103(b)(1) defines a return as any tax or information return, estimated tax declaration, or refund claim required by or permitted under the Internal Revenue Code and filed with the Internal Revenue Service. Federal Tax Information may also include Personal Identification Information.

            Adams County respects the privacy of your information and takes very seriously our role in safeguarding your information. We regret that this incident occurred and apologize for any inconvenience this matter has caused. We will continue to do everything we can to correct this situation and fortify our operational protections for you and others.

            You may contact Adams County with questions and concerns the following ways: (1) by calling Casey Bradley at our toll free number (833) 236-0173 between the hours of 8:00 a.m. and 4:30 p.m.; (2) sending an e-mail message to databreach@co.adams.wi.us ; or, (3) addressing a letter to our postal address at PO Box 102, Friendship WI 53934.

Sincerely,

Casey Bradley
County Manager/Administrative Coordinator
Adams County
Phone: 1-833-236-0173
databreach@co.adams.wi.us