Another public health service data breach has recently been discovered. This time around it is current and former members of the Commissioned Corps that have been affected. This week the Surgeon General emailed current, former, and retired Commissioned Corps officers to alert them to a potential breach of their data after it was discovered that an unauthorized individual gained access the agency’s personnel system.
The system is used for payroll and other HR functions, including logging annual leave, hours worked, and attendance. Names, dates of birth and Social Security numbers may have been viewed and/or copied.
The security breach was discovered on September 20, 2016 although it is unclear from the breach notification email when access to the system was gained. The attack occurred via a web portal. The portal has been shut down since the attack was discovered while an investigation is conducted. Staff have been told that the hack and system shutdown has not affected the September payroll run.
The investigation into the breach is ongoing and “Teams across the Department and across government are working to learn as much as we can as quickly as we can,” according to HHS Acting Assistant Secretary for Health Karen B. DeSalvo. Additional security protections will be put in place to prevent future cyberattacks once the exact nature of the breach, including how access was gained, has been determined.
DeSalvo did not confirm whether affected employees will be provided with credit monitoring and identity theft protection services but staff were told that further information about the incident will be provided as it becomes available.
The number of individuals affected by the breach has not been disclosed, although there are approximately 6,600 current members of the Commissioned Corps. If former and retired members’ data have also been accessed the victim count will be considerably higher.