Adams County's membership in a multi-jurisdictional healthcare consortium allowed the breach to spread far beyond its borders.
A data breach in a small county in central Wisconsin potentially exposed the personal information of 258,120 people spread across eight counties. Officials in Adams County — population 20,185 — announced Friday that the names, dates of birth, Social Security numbers, credit card numbers and other identifying information collected between January 2013 and March 2018 had been exposed.
The huge disparity between Adams County's population and the number of potential victims comes from its participation in a multi-jurisdictional consortium that provides health services to residents beyond just its own borders, county manager Casey Bradley told StateScoop. "We provide services to bigger cities," he said.
Adams County is a member of the Wisconsin Department of Health Service's Capital Consortium, which manages enrollment in the state's low-income healthcare and nutrition-assistance programs across a group of counties, including Dane County, which contains Madison, the state's capital and second-largest city.
Along with healthcare and food stamp recipients enrolled through the consortium, the data breach also included records collected by Adams County's veteran services, solid waste removal, child-support and sheriff's offices. The personal information of county employees was also exposed.
While Bradley said there's no evidence the exposed data has been used for any malign purposes, the county is trying to publicize the breach statewide as it included residents across such a wide area. The other counties in the Capital Consortium were notified of the incident Friday morning, he said.
The breach was discovered March 28 by employees of the accounting firm Schenck, which was investigating what county officials describe as an "information technology incident." The investigation revealed "questionable activity on the Adams County computer system and network." A data breach was confirmed in late June, and on June 29, the county received confirmation that the personal identifying information of hundreds of thousands of people — including their health and financial records — had been subjected to unauthorized access.
The state justice department's Division of Criminal Investigation has identified at least one suspect accused of accessing those records without authorization. Officials would not give any description of the suspect, though Adams County said the suspect no longer has any permissions on the county's computer networks. The county has also taken additional steps to restrict access networkwide while the data breach is being investigated and remedied.
Bradley said the county has brought in outside consultants to review the data breach refine its cybersecurity policies. He declined to go into specifics, though he said the response will likely include employee training and the acquisition of new security software.