Officials with the Iowa Department of Human Services say the state agency was the target of a phishing email campaign last August that resulted in nine DHS employees providing their passwords which gave the hackers access to their email accounts.
The hackers were able to mask their identities and send very carefully designed phishing emails to employees to appear like they were sent from another trusted DHS employee, according to the department. The campaign was discovered the same day the phishing email was sent, and DHS employees changed their passwords to block access to their email accounts and to minimize the potential for confidential information to be exposed, the department said in a news release.
However, the hackers potentially accessed protected health information for 820 individuals during the timeframe before passwords were changed. At this time, DHS officials say the agency does not have any evidence to indicate the hackers actually accessed any of the exposed emails. All individuals potentially affected are being notified by mail.
Although the chance that these individual?s personal information will be misused is small, DHS officials say they will provide up to a year of credit monitoring through TransUnion Interactive at no charge to all those affected.