The Iowa Department of Human Services was targeted by a phishing campaign Aug. 23, the department announced Oct. 20.
In response to the phishing campaign, nine DHS employees provided their passwords to the hackers, who masked their emails to appear as if they were sent from another IDHS employee. The department discovered the security incident the same day and the employees immediately changed their passwords to block access to their email accounts.
However, the hackers may have accessed the protected health information of 820 individuals prior to the employees' password changes, officials said. IDHS does not have any evidence indicating the hackers accessed or misused any of the exposed emails.
Officials said the department will provide up to one year of free credit monitoring services to affected individuals.
The nine DHS employees who inadvertently provided their passwords to the hackers were required to retake an annual confidentiality training session, which includes information about phishing emails and password protection. The department also plans to implement technological controls to prevent a future hacker from accessing IDHS email accounts by obtaining a user's password.
Editor's note: Becker's Hospital Review reached out to Iowa Department of Human Services for comment and will update as more information becomes available.