Ransomware Attack on Medicaid Billing Service Provider Impacts 116,000 Individuals

Timberline Billing Service, LLC, a Des Moines, IA-based Medicaid billing company, has suffered a ransomware attack that resulted in the encryption and theft of data.

An investigation into the attack revealed an unknown individual gained access to its systems between February 12, 2020 and March 4, 2020 and deployed ransomware. Prior to the encryption of files, some information was exfiltrated from its systems.

Timberline’s clients include around 190 schools in Iowa. School districts in the state that have been impacted by the breach have now been notified. It is currently unclear exactly how many schools were affected and if the breach was limited to schools in Iowa. Timberline also has offices in Kansas and Illinois.

The types of data potentially obtained by the attacker included names, dates of birth, Medicaid ID numbers, and billing information. A limited number of Social Security numbers were also potentially compromised. While data theft occurred, no reports have been received to indicate any data have been misused.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting up to 116,131 individuals.

University of California San Francisco Suffers PHI Breach

University of California San Francisco (UCSF) has suffered a cyberattack in which personal and health information held by the UCSF School of Medicine was potentially compromised. The cyberattack was detected on June 1, 2020 and involved a limited part of the School of Medicine’s IT systems. No further information on the exact nature of the attack has been released.

A leading cybersecurity consultant was retained to assist with the investigation and determined records relating to current and former UCSF employees, students, collaborators, and research participants may have been compromised. Those records contained names, government ID numbers, Social Security numbers, medical information, health insurance information, and some financial information. UCSF says it is unaware of any misuse of personal information.

UCSF has been working with third party cybersecurity consultants to reinforce its IT security defenses to prevent further breaches in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.