Data breach at DHS may have compromised thousands of people’s information

A data breach at the Oklahoma Department of Social Services is raising concerns. DHS said thousands of people with intellectual and developmental disabilities may have had their information stolen.

Liberty of Oklahoma, which operates an Oklahoma Department of Social Services waiting list, is telling people about the potential for information leaks after the December breach.

“Personal information involved may include name, address, date of birth, age, telephone number, social security number, Oklahoma customer number which could be the identification number Medicaid, and representing the individual’s name, address and phone number. The information exposed did not include assessment information,” Liberty said in a statement.

According to Liberty, “On December 7, 2021, Liberty became aware of a spoofed email account impersonating the email account of a Liberty employee working on the Oklahoma waitlist program. The spoofed email account attempted to steal the payment owed to Liberty. However, Liberty and OKDHS were able to prevent any theft. Upon further investigation and review of the spoofed email account, Liberty discovered that an unknown and unauthorized third party (“Third Party”) had accessed a Liberty employee’s email account (“Affected Account”) and may have been able to access certain emails and documents stored in the Affected Account, including a unencrypted calculation containing the personal information of individuals participating in Oklahoma’s waitlist program that was sent as an attachment to the account.On December 8, 2021, Liberty immediately deactivated the affected account after becoming aware of the ac third party unauthorized access.”

Liberty said the technology team, Liberty Healthcare Technology Solutions, responded quickly by deactivating the account and said it was only reactivated after changing the account password and enabling the multi-factor authentication. Liberty Healthcare Technology Solutions requires every employee and user to use MFA to access their email accounts.

Brian Wilkerson, legal director of the Oklahoma Disability Law Center, wondered why it took so long to get in touch with the families when they learned of the data breach months ago.

Life is stressful enough for parents like Jed Isbell whose son has autism.

“When you have someone with an intellectual disability, there are so many more doctor appointments, therapy appointments, AVA therapy appointments. It’s kind of like having a neurotypical child times 5,” Isbell said.

Isbell is one of more than 5,000 families on Oklahoma’s waiting list for waiver services for people with intellectual and developmental disabilities.

DHS enlisted the Liberty of Oklahoma Corporation to help assess the needs of families on this list. Isbell received a letter from Liberty yesterday notifying it of a data breach.

“I know there are a lot of families out there who share my concern that this whole valuation, multi-million dollar valuation that Liberty is doing at the request of and under contract with DHS is not…you know it was a waste of time that only causes extra stress now […]”, Isbell said. “[W]We’ve always been concerned that those funds could be better used to deliver services rather than doing another assessment that’s been done, you know, in the past. »

On December 7, Liberty said it discovered that a third party had accessed a spreadsheet containing participants’ sensitive information.

Liberty said it offers free identity theft protection services and recommends that you “stay alert to incidents of fraud and identity theft” by “regularly checking your account statements and monitoring your free credit reports.” “.

Liberty said you can do this by:

  1. Contact the three national credit bureaus.
  2. Get a free credit report.
  3. Place fraud alerts.
  4. Place a safety gel.
  5. Contact the Federal Trade Commission and the offices of state attorneys general.

“The problem is that people with adults who might be on the waitlist who might have been affected by this breach are being told we can’t even talk to you, you can’t sign up for the program, you can’t you can’t enter any of your information because you’re not the person who would be protected,” said Brian Wilkerson, legal director for the Oklahoma Disability Law Center.

Read a statement from the Oklahoma Department of Human Resources below:

OKDHS takes its responsibility to protect the personal information of its customers very seriously and holds those with whom we contract to the same high level of data security. Liberty responded to this situation within a day, quickly minimizing any third-party access, and is taking steps to ensure customers’ personal information is protected, including offering identity protection services. This is emblematic of the very changes OKDHS is trying to make within our service systems, including integrating modern technology systems that do not rely on Excel spreadsheets in emails. We understand the concern that this situation will undoubtedly cause for our families on the waiting list. At the same time, the person-centered assessments offered by Liberty are an essential part of providing navigation services to people while they are on the waitlist and helping the agency build a suite of services that will meet the unique needs of people with developmental disabilities and their families for years to come. We hope the families will continue to do the assessments and help us make Oklahoma a no-holds-barred state.”

“If families don’t participate in this process because they are unsure about the security of their information, what does that say about what will happen to their family member who is on the checklist? Are they going to be removed if they don’t? I certainly think they have a legitimate reason to be nervous about cooperating at this point,” Wilkerson said.

Comments are closed.