Broome County suffered data breach compromising personal information of employees and clients

• An unauthorized third party gained access to numerous County employee email accounts and County employee PeopleSoft accounts via credentials harvesting phishing email.
• The data involved in the breach includes names, dates of birth, contact details, Social Security numbers, financial information, and credit card information.

Broome County in New York suffered a data breach after unauthorized parties gained access to employee email accounts and payroll accounts.

The big picture

Broome County became aware of changes to a County employee’s direct deposit information on January 2, 2019. Upon which the County’s internal IT team immediately conducted an investigation to determine the nature and scope of the incident.

The investigation revealed that an unauthorized third party gained access to numerous County employee email accounts and County employee PeopleSoft accounts via credentials harvesting phishing email.

The County then retained a leading computer forensics expert to determine the impact of the incident and found out that an unauthorized individual accessed the employee email account between November 20, 2018, and January 2, 2019.

Who all are impacted?

On April 1, 2019, after a thorough review of the email accounts, the County identified all the potentially impacted individuals.

The impacted individuals include employees and clients associated with the following divisions and departments,

• Willow Point Nursing Home and Rehabilitation & Nursing Center
• Greater Binghamton Airport
• Broome County Department of Social Services
• Broome County District Attorney’s Office
• Broome County Office for Aging
• Broome County Office of Education and Training
• Broome County Office of Emergency Services
• Broome County Department of Health
• Broome County Department of Planning and Economic Development
• Broome County Department of Probation
• Broome County Department of Public Transportation
• Broome County Highway Division
• Broome County Veterans Services Agency

What data was involved?

• The data involved in the breach includes names, dates of birth, contact details, Social Security numbers, financial information, and credit card information.
• The compromised data also includes medical clinical information such as medical record numbers, patient identification numbers, diagnosis and treatment as well as health insurance and claims.

What actions are being taken?

The County is working to implement additional safeguards and security measures to enhance the privacy and security of its patient information. This includes implementing two-factor authentication and providing training to employees.

“We take this incident very seriously, and we have been working diligently, with the assistance of third-party forensic investigators, to determine the full nature and scope of this incident. We are taking additional actions to strengthen the security of our email systems moving forward,” the County said in a security notice.