DSS clients’ data exposed


By Paul Hughes, Republican-American

Naugatuck residents could be affected

HARTFORD — The personal information of 37,000 clients of state welfare programs may have compromised in a possible data breach of personal health information.

The Department of Social Services reported forensic reviews found no evidence personal information was disclosed, but the agency is offering free identity theft protection services as a precautionary measure.

Letters are being sent to about 37,000 current and former clients of DSS programs and authorized representatives, explaining the situation and the agency’s offer of identity theft protection.

The potentially affected include 323 residents of Naugatuck.

An investigation began after the state detected spam emails were being sent from the accounts of a number of DSS employees following a series of “phishing” attacks last year between July 29 and Dec. 2.

“Each time this was discovered, the email account was immediately shut down and secured,” DSS Commissioner Deirde S. Gifford wrote in the notification letter. “Our review found that these email security breaches resulted from successful phishing attempts by individuals or systems outside of DSS.”

Yet, the letter advised, while the investigation could not determine hackers did not access personal information, it is likely that information related to applications for benefits and receipt of benefits may have been included in at least one of the DSS email accounts involved in the potential breach.

This potentially compromised information includes names, dates of birth, client number, case numbers and Social Security numbers.

The DSS did not have a list of the programs that had been involved on Friday, but a majority of its approximately 1 million individual clients are involved in the state Medicaid program.

The department reported Friday that a number of steps have been taken to strengthen security protocols and training programs to better protect personal information and help identify and protect against future phishing attempts.

This included revising policies and procedures, training or retraining DSS employees about email security, and launching a new security training program covering phishing and password protection.