The second so-called "data privacy event" affected the security of personal information connected with 820 Washington residents.
A legal document — notifying the state Attorney General's Office of the breach on behalf of Benton County — did not identify whether those affected were county employees or county residents.
It said information obtained through the unauthorized access "to a certain Benton email account" included: names; Social Security numbers; driver's license numbers; medical and treatment information; health insurance information; financial account information; and student identification numbers.
The 15-page document detailing the event and the county's response was included in a report released Friday by Washington Attorney General Bob Ferguson.
Also in November 2019, a fraudster stole $740,000 from Benton County after concocting an elaborate email scheme using a contractor working on county projects.
Ferguson's report has a link to a list of all data breach notices sent to the AG's office since 2015.
Other Tri-Cities public agencies and businesses listed include Trios Health involving 569 people and Pasco Rentals, Inc. with approximately 6,300 Washington residents affected. Both of those data breaches were in 2017.
The report said that 6.3 million notices of data breaches have been sent to Washingtonians so far in 2021 — the largest number since Ferguson's office began tracking.
The number of actual data breaches reported to the office came in at 280, well past the previous record of 78 in 2018 and 2020's total of 60.
The 2018 record led to 3.5 million notices sent to residents.
The report also identifies a tremendous spike in cyberattacks and a growing threat from ransomware incidents, a type of cyberattack that uses malicious code to hold data hostage in hopes of receiving a ransom payment, The Seattle Times reported.
More than 150 ransomware incidents were recorded in 2021 — more than the previous five years combined, according to the report.
"We publish this report because Washingtonians are best able to safeguard their data when they are aware of the threats — and the threats have never been greater," said Ferguson said.
The Attorney General's Office said it receives no funding to publish the report but does it as a public service to provide Washingtonians with critical information to help them safeguard their data, according to The Times story.
Ferguson's office said his yearslong push to require companies to report data breaches and to hold them accountable led to a 2019 investigation of a data breach at Premera Blue Cross and resulted in the company paying $10 million, The Times reported.
Also that year, his office announced that Equifax would pay more than half-a-billion dollars because of a 2017 data breach affecting nearly 150 million people nationwide.
Since 2014, Ferguson's office has required several corporations with large data breaches that impacted Washingtonians' privacy — Premera, Equifax, Uber and Target Corporation — to enter into legally enforceable agreements to improve their data security, according to The Times story.
Benton County scam
In late 2019, a thief, traced to India, created an online domain name using a Kennewick construction firm's name, minus one letter to steal money from Benton County.
The name on the fake email address was strikingly similar to the name of a real employee with the legitimate company.
Employees with the Benton County Auditor's Office exchanged about 20 emails with the purported accountant over three weeks about a bill the county owed for several building projects.
On Nov. 15, 2019, an electronic transfer of $740,000 was made from the county to an Atlanta-based bank.
The thief immediately withdrew $23,000 from the account in a series of small transactions. The remaining $717,200 was seized by the U.S. Secret Service, which led the criminal investigation.
That "social engineering phishing scam" happened at about the same time as the data breach listed in Ferguson's recent report.
The letter from Vincent F. Regan from a Pennsylvania law firm said that data event involved unauthorized access to a county email account between Nov. 11 and Dec. 9, 2019.
It was not until Sept. 14, 2020, that the county's review determined the email account "contained information related to certain individuals."
The letter said Benton County immediately launched an investigation, with assistance from its risk management team and third-party forensic specialists, and notified the affected people in mid-December.
The county also implemented "additional safeguards and training to its employees," and offered free credit monitoring services for one year to the data breach victims.
© 2021 Tri-City Herald (Kennewick, Wash.). Distributed by Tribune Content Agency, LLC.
