The Georgia Department of Human Services (DHS) was the victim of a recent cyberattack in which hackers gained unauthorized access to certain employee email accounts. The result is a data breach of confidential information that was not discovered in its entirety until August 2020 –three months after the initial hack.
The attacks occurred between May 3, 2020, and May 15, 2020. DHS and the Georgia Technology Authority, the state agency responsible for Information Technology Enterprise Management, worked together to resolve the issue. After becoming aware of the attack, immediate actions were taken to lock any compromised accounts and block any malicious actors.
On August 10, 2020, DHS learned that the attackers had been able to retain certain emails that contained personally identifiable information and protected health information of children and adults involved in Child Protective Services (CPS) cases of the DHS Division of Family & Children Services (DFCS). As of September 21, 2020, DHS examined the emails in question and began identifying the customers whose information had been accessed.
The information that was compromised as part of the breach varies by person. Individuals affected may have had the following types of information disclosed: full name of children and household members, relationship to the child receiving services, county of residence, DFCS case number, DFCS identification numbers, date of birth, age, number of times contacted by DFCS, an identifier of whether face-to-face contact was medically appropriate, phone numbers, email addresses, social security number, Medicaid identification number, Medicaid medical insurance identification number, medical provider name and appointment dates.
In addition, psychological reports, counseling notes, medical diagnoses or substance abuse information for 12 individuals was included in the breach. One individual’s bank account number was disclosed.
Affected clients are being contacted directly by DHS, and instructions are being provided on how clients can protect themselves from further harm. Any individual or parents whose child was involved in a CPS case in the Spring of 2020 who thinks their information may have been part of the breach, can call the toll-free number listed below to determine if their information was involved in the incident. Individuals can call 1-888-304-1021 for more information. The call center is available from 9 a.m. to 4 p.m., Monday – Friday, excluding state holidays until Jan. 8, 2021.
DHS is implementing identity and access management options to increase security and prevent future occurrences.