It appears to involve information accessed June 26 through June 30 through “some” CYS emails, Somerset County commissioners said in a media release.
Among the information that may have been accessed through the breach includes Social Security numbers, insurance identification numbers, medical service dates, and details related to medical conditions and treatments for CYS clients, county officials said.
In a smaller number of cases, information related to paternity testing was potentially accessed.
“At this time, we are not aware of any misuse of the information involved,” county officials wrote in a notice to county residents.
Somerset County President Commissioner Brian Fochtman said they are taking steps to address the issue, working with a cybersecurity and data forensics consultant through the County Commissioners Association of Pennsylvania.
The statewide commissioners association supports Pennsylvania’s 67 counties and is familiar with the problems they face — cybersecurity issues among them, Fochtman said.
“They’ve been a great resource for us,” he said.
Fochtman said efforts are underway to review data to investigate who specifically was affected by the breach and where they reside to provide them direct notice about the incident.
The U.S. Department of Health and Human Services was also notified, county officials said.
County commissioners are also urging CYS service recipients to also take steps to protect themselves through “preventative measures” designed to mitigate the misuse of their personal information.
That includes reviewing personal account statements and explanation of benefit forms and using free credit reports to monitor recent — or “potentially suspicious” activity.
“If you notice any health care services listed in your (explanation of benefits) you did not receive, you should contact your health plan or doctor,” they wrote.
Any incidents of suspected identity theft should be reported to the state Office of Attorney General and major credit bureaus.
“We’re doing our due diligence to make sure the investigation is (conducted) as completely as possible — and to notify anyone who might be affected,” Fochtman said.
A notice to the public is published on the county website at co.somerset.pa.us/files/news_files/HIPAAwebsiteNotice.pdf.
Fochtman said the county is also taking internal steps to protect its accounts.
That includes strengthening procedures and access requirements for email security, retraining employees about email-related cybersecurity and communicating with staff about “phishing” scams, the county wrote in its public notice.
They have also changed passwords for email accounts impacted by the breach to prevent future access to those accounts.
©2025 The Tribune-Democrat, Distributed by Tribune Content Agency, LLC.
