Messy Insider Breach Impacts 258,000 Over Five-Year SpanKeylogging Software Allegedly Used to Gain Unauthorized Systems Access
A messy insider incident - allegedly involving an elected official in Wisconsin who is suspected of installing keylogging software to inappropriately access county systems over a five-year span - has impacted more than 258,000 individuals.
In a recent notice, Adams County, Wis. says that on March 28, an IT investigation uncovered "questionable activity" on the county's computer systems and networks. By late June, a "comprehensive" forensic review confirmed that data - including personally identifiable information, protected health information and tax information - of 258,120 individuals had been inappropriately accessed between Jan. 1, 2013 and March 28, 2018.
"There is evidence that there was unauthorized access of this information and/or unauthorized acquisition of this information," the statement says.
"Unauthorized individual(s) obtained rights, user names and passwords by manipulation of certain software programs on the Adams County computer network and system that allowed them access to environments that were beyond their role and/or department. The access to PII, PHI and TII [tax information] was beyond any authorized purpose to use, disclose or request such information," the county says.
Casey Bradley, Adams County manager and administrative coordinator, tells Information Security Media Group that an IT investigation found on March 28 that unauthorized keylogging software was installed on the county's systems in January 2013. The software was disabled by the county upon its discovery on March 28, and unauthorized access blocked, he says.
So far, there is no indication that the compromised information has been used by any third party or that any incidents involving identity theft have occurred as a result of the breach, he says. The county has "not yet" offered free credit monitoring to affected individuals, but as a precautionary measure it recommends those impacted to take steps including registering for a fraud alert with the three major credit bureaus, he says.
Law enforcement is investigating the matter, Bradley adds, declining to discuss the identity of "the individual or individuals" who are suspected to have installed the keylogging software.
However, according to local news sites, the Wisconsin Division of Criminal Investigation filed search warrants on Aug. 3 and 6 to investigate a laptop computer used by current elected Adams County Clerk Cindy Phillippi.
A search warrant affidavit alleges Phillippi installed a computer logging tool and captured keystrokes for nearly all computers owned by the county, but has not been charged criminally, according to a an Aug. 15 news story by ABC News affiliate WAOW in Wausau, Wis.
Additionally, in a "verified statement of charges," the Adams County personnel director asks the Adams County Board to hear the charges against Phillippi and requests that she be removed from her elected office of county clerk, the news site reports.
Phillippi reportedly claims she asked for access to confidential computer records because she wanted to investigate a county department head that she believed was using his county computer to access pornography, according to the news site.
The Wisconsin Department of Justice did not immediately respond to an ISMG request for comment on the investigation.
ISMG attempted to reach Phillippi for comment, but Wisconsin phone numbers listed for "Cindy Phillippi" have been disconnected and/or are no longer in service.
The forensic investigation into the incident determined that the data allegedly accessed was contained on systems of a number of county departments, including the Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, Health and Human Services, and Child Support and Sheriff's Office, the Adams County statement says.
In addition to notifying affected individuals, the county is also reporting the incident to a several state and federal regulatory authorities, including the Department of Health and Human Services' Office for Civil Rights as a HIPAA breach, as well as to the Internal Revenue Service, Bradley tells ISMG.
As of Aug. 20, the Adams County incident had not yet been posted to HHS OCR's HIPAA Breach Reporting Tool website. Commonly called the "wall of shame", the website lists reports of health data breaches impacting 500 or more individuals.
Once OCR confirms details of the Adams County breach, the incident will potentially be one of largest health data breaches posted to the wall of shame in 2018.
The many years that lapsed between the alleged unauthorized installation of the keylogging software by an insider and its discovery at Adams County is disturbing, says attorney James DeGraw, partner at law firm Ropes & Gray, and co-lead of the firm's digital health initiative.
"It's not usual to see people take a long time to discover a breach because they haven't put together a robust security program," he says. However, "the fact that you could have somebody who could install a [software] program that clearly should have violated acceptable use policies at an organization - and not be detected - suggests there are other weaknesses in the security program itself," DeGraw says.
Government organizations, similar to healthcare entities, often "get IT installed in bits and pieces, and it's hard to manage disparate technologies ... with everyone getting their own credentials," he notes. "That's a nightmare, and that creates a real weakness and concern when we're talking about government actors in the current environment. People are interested in government computers for lots of reasons."