Toni Hohlfelder, the county's human services director, said a remote-controlled application was accidentally downloaded by a Chippewa County employee on Feb. 28.
"The County cannot confirm how this occurred, but we believe it was by accidentally clicking on an Internet pop-up or malicious link in error that downloaded the application," she wrote in a press release. "Then, on Wednesday, March 1, 2023, the employee was working on their computer in their office and someone else started to use the remote-control application and started to type. That person gained access to the computer for approximately five minutes until the Information Technology (IT) Department was able to stop the access."
The IT Department was able to confirm that approximately 25-35MB of data was sent through this application in a five-minute window on March 1.
"The County believes the data that was obtained was most likely documents that had been saved on the employee's desktop," Hohlfelder wrote. "There were seven (7) total documents saved on the employee's desk top that contained HIPAA (private medical) information. A letter notifying many of the individuals was mailed to those individuals (Wednesday.) There are several names on one of those documents (a spreadsheet) that the County no longer has addresses for because those individuals have not been clients of the County in over 10 years and are no longer residing at the addresses the County has on file. This spreadsheet contained a medical history number, client name, drug prescribed, date signed and the doctor's initials."
No social security numbers were included on any of the documents potentially breached, she added.
County administrator Randy Scholz noted this type of breach could "happen to anyone at any time."
"Our employee recognized it and took action quickly," Scholz said. "And our IT department mitigated the hacker too. It's just a real credit to our employee and the IT Department. I'm proud of how we reacted; the training paid off."
Scholz said tracking down the source of the breach is likely impossible, but he's confident that it was isolated to the one computer.
"They didn't get into our system," Scholz said. "We have other safeguards in place."
Scholz said these types of hacks are often looking for private banking information, which was not on that machine.
©2023 the Leader-Telegram, Distributed by Tribune Content Agency, LLC.
