The Wisconsin department discovered a former employee accessed patient data for months.
The Douglas County Department of Health and Human Services recently released a one-page notice regarding a data breach, which was discovered by the organization approximately six months ago.
According to the statement, an employee accessed personal information between August 2022 and May 13th, 2024, when the breach was discovered. Upon discovery, the employee was terminated and the organization conducted an investigation with police assistance.
Accessed data may have included Social Security numbers, health plan information, medical diagnoses, and vehicle identification information.
The Department of Health and Human Services is responsible for overseeing the county’s healthcare providers and serves over 44,000 residents.
Anna Carlson, the department’s director, said they followed all state and federal guidelines for breach response. The team sent out 316 notices to individuals impacted but only sent letters to those the team had home addresses on file for. Individuals who don’t receive a letter would have to go to the county’s website to know the breach had taken place.
Chief of Police, Paul Winterscheidt, said an investigation had begun on June 13th, 2024.
“At this time, there is no indication that the information that may have been viewed without authority was used for identity theft, financial theft, or in any other malicious manner,” the online notice read. “The Department takes very seriously its role of safeguarding our client’s personal information and using it in an appropriate manner.” The county shared that they have policies and procedures designed to protect patient privacy.
The federal HHS is responsible for keeping track of breaches, through its Office for Civil Rights (OCR). This department has the responsibility of investigating breaches, auditing covered entities, publishing information regarding breaches, and overseeing corrective action for organizations that were responsible for a breach or failed to adequately protect data. For a smaller, county-level HHS department to face a data breach shows that breaches can affect any organization.
When breaches impact governing bodies like the HHS, it can lay the groundwork for how other organizations may respond to their own breaches.
The breach against Douglas County is also a reminder that the size of an organization rarely matters to threat actors, who often act based on opportunity. Thus, every healthcare organization, no matter how big or small, should prioritize data security.
Read more: HIPAA Compliant Email: The Definitive Guide