Georgia DHS Breach: What Happened
Georgia DHS released a press release after discovering that an unauthorized entity had gained access to the protected health information (PHI) and personal identifiable information of some of its CPS and DFCS cases. The access stemmed from a phishing attack that provided unauthorized individuals access to a Georgia DHS employee’s email account.
The phishing attack, that allowed unauthorized access to information from May 3 to May 15, was discovered on August 10, 2020.
When disclosing the Georgia DHS breach in a press release, DHS stated:
“The information that was compromised as part of the breach varies by person. Individuals affected may have had the following types of information disclosed: full name of children and household members, relationship to the child receiving services, county of residence, DFCS case number, DFCS identification numbers, date of birth, age, number of times contacted by DFCS, an identifier of whether face-to-face contact was medically appropriate, phone numbers, email addresses, social security number, Medicaid identification number, Medicaid medical insurance identification number, medical provider name and appointment dates.”
In addition to that information, 12 individuals also had their counseling notes, psychological reports, medical diagnoses, and substance abuse information exposed in the Georgia DHS breach. One individual’s bank account information was also compromised.
The DHS has conducted an investigation into the incident, and is in the process of notifying the individuals affected by the incident.