A county in Wisconsin revealed that a phishing attack was most likely to blame for a data breach of some service recipients' personal information. On 22 June, Manitowoc County posted a statement about the incident to its website. County officials wrote that they first learned of the attack on 24 April. Upon discovery of the event, they instructed the County's Information Systems Department to close the instance of unauthorized access. They also initiated an internal review to determine what had happened. Here's what they've learned so far:
On or around January 14, 2018 an unauthorized third party was able to gain access to one Manitowoc County email account most likely through what is called a "phishing" attack. This email phishing attack allowed an unauthorized third party to direct emails to an email account not operated by Manitowoc County. Some of those emails included personal information of individuals we have provided services to.
Authorities for Manitowoc County clarified that the information likely exposed in the breach consisted of protected health information (PHI) including names, addresses, dates of birth, health insurance details, prescription data and other medical information. The noticed didn't shed light on how many people the breach might have affected. However, it did clarify that Manitowoc County hired legal counsel and contacted forensic experts following its discovery of the incident. It also illuminated the County's efforts to secure its networks against similar attacks in the future using new technology and training as well as to notify all individuals whose personal information the incident might have compromised. While it continues to investigate what happened, Manitowoc County warned individuals to be on the lookout for phishing emails that appear to come from County officials. News of this breach follows more than a year after a county located in Ohio suspended its IT system after a ransomware attack affected computers inside its government center.
