Manitowoc County in Wisconsin recently notified an undisclosed number of residents about a breach the agency discovered in April that may have left their protected health information exposed for up to three months.
In January, an unauthorized third-party gained access to a Manitowoc County employee email account, the agency wrote in a June 22 statement. The third-party directed messages sent to the Manitowoc County account to a separate email address not operated by the agency. Some emails included the PHI of individuals the county had provided services to, including names, insurance data and treatment information.
Manitowoc County wrote the employee email account was "most likely" comprised through a phishing attack.
Manitowoc County learned of the incident April 24, at which point the agency's information systems department secured IT systems so the unauthorized third-party could no longer access the employee email account. The agency said it is not aware of any misuse of PHI exposed in the breach.
"Manitowoc County is … assessing further options to enhance our controls and make additional investments in protocols, technology and training to make sure a similar issue does not occur in the future," Manitowoc County wrote in the June 22 statement.
Manitowoc County stressed it sent notices to affected individuals earlier this year, but delivered the additional notice June 22 to those who the agency did not have updated contact information for.