Business associate of Maryland Developmental Disabilities Administration hacked in October

David Dishneau of Associated Press reports:

A state-licensed provider of services to developmentally disabled Marylanders says someone stole computerized Social Security and medical information for about 9,700 clients.

Frederick-based Service Coordination Inc. said Monday it learned of the security breach in October but didn’t notify affected individuals until Friday. The organization says part of the delay came at the request of the U.S. Justice Department to allow for a federal investigation.

Service Coordination says investigators have identified the alleged hacker and seized that person’s property.

Read more on Miami Herald.

A notification posted on the provider’s website today says:

Service Coordination Inc. (SCI) provides case management services to Maryland residents. In connection with those services, the Maryland Developmental Disabilities Administration (DDA) shares with SCI certain personally identifiable information and personal health information of Maryland residents in electronic form.

On October 30, 2013, SCI discovered that between October 20 and October 30, 2013, its computer systems had been hacked and that an individual had gained unauthorized access to those electronic files. Those improperly accessed files included the name of certain Maryland residents to whom SCI provides services, along with each of those individuals’ social security number, medical assistance number, Medicaid and Medicaid Waiver status and reason, DDA direct service provider, demographic and other information  related to SCI’s case management services.

Upon discovering this criminal, unauthorized access to its systems, SCI promptly engaged a cybersecurity forensics consultant, took steps to remedy the breach and prevent further unauthorized access, and alerted DDA, the FBI and the U.S Department of Justice. During the course of the ensuing criminal investigation, the Department of Justice required that notice to affected individuals be delayed so as not to impede their criminal investigation. That delay was recently lifted after law enforcement identified the alleged hacker, conducted a search of the alleged hacker’s home and seized certain of the alleged hacker’s equipment and accounts. SCI has now provided notice to affected individuals and others in accordance with applicable law, on behalf of DDA.

There is no current evidence of any misuse or further release of information by the hacker or others. To help protect affected Maryland residents from the possibility of identity theft and/or fraud as a result of this incident, SCI has engaged an identity theft protection firm, to provide affected individuals with a full year of identity theft protection services at SCI’s expense.

“We regret the occurrence of this unfortunate criminal incident and we apologize for any inconvenience this may have caused individuals who we work with. We continue our vigilant actions to safeguard the information of those who count on us for resource coordination services and we remain committed to supporting their needs,” said John Dumas, Executive Director of Service Coordination.

SCI urges affected Maryland residents to monitor account statements for unexplained, suspicious or unauthorized activity, obtain a free annual credit report at www.annualcreditreport.com, and to contact the Federal Trade Commission or the national credit reporting agencies—Equifax, Experian, and TransUnion—to obtain information about additional protections, such as fraud alerts and security freezes. Affected individuals may also contact the Consumer Protection Division of the Maryland Office of the Attorney General for Maryland-specific information.

 

About the author: Dissent