Cyberattackers have managed to steal personal and medical information of children and adults involved in Child Protective Services (CPS) and DHS Division of Family & Children Services (DFCS) cases, the Georgia Department of Human Services (DHS) has disclosed.
According to a press release, unauthorized individuals gained access to DHS employee email accounts between May 3 and May 15, compromising customers’ personal identifiable information and protected health information (PHI).
“On August 10, 2020, DHS learned that the attackers had been able to retain certain emails that contained personally identifiable information and protected health information of children and adults involved in Child Protective Services (CPS) cases of the DHS Division of Family & Children Services (DFCS),” the notification reads.
Although the type of compromised information varies for each case, cybercriminals managed to exfiltrate information including:
• Full names of children and household members
• Dates of birth, age and county of residence
• DFCS case and identifications numbers
• Phone numbers and email addresses
• Social Security numbers
• Medicaid identification number and Medicaid medical insurance number
• Medical provider name and appointment date
The breach also exposed psychological reports, counseling notes, medical diagnoses and substance abuse information for 12 individuals, and the bank account number of one.
The DHS said that are contacting affected customers, providing instructions on how to protect against identity theft crimes.
“As of September 21, 2020, DHS examined the emails in question and began identifying the customers whose information had been accessed,” the DHS added.“Affected clients are being contacted directly by DHS, and instructions are being provided on how clients can protect themselves from further harm.”
Cybercriminals sell stolen PHI on dark web marketplaces or use it in identify-theft-related crimes. Victims should be extra vigilant and check their medical insurance statements for any suspicious entries. In case of fraudulent charges, affected individuals should notify their local authorities and healthcare providers.
It is also recommended to watch out for any unsolicited emails that ask to confirm personal or financial information.