The Iowa Department of Health and Human Services (HHS) has announced that the personal information of some Iowa Medicaid members was compromised in a national data breach affecting a contractor’s computer system last year. The breach did not directly target the Iowa Medicaid system. Elizabeth Matney, Iowa Medicaid Director, stated, “We regret the inconvenience and the concern this incident may cause Medicaid members in Iowa. HHS will continue to do everything possible to protect member information from unauthorized access.”
The breach involved Independent Living Systems (ILS), a subcontractor to Telligen, Inc., which performs annual assessments for Iowa Medicaid members. Between June 30 and July 5, 2022, ILS experienced a data breach that exposed the personal information of over four million individuals across several states. Approximately 20,800 Iowa Medicaid members were impacted, with information such as full names, Medicaid details, and other sensitive data being compromised.
ILS detected the network intrusion on July 5, 2022, and promptly reported the incident to the FBI and other authorities for investigation. On February 14, 2023, as the investigation was concluding, ILS informed Telligen of the breach. Telligen subsequently notified Iowa HHS and Medicaid on February 17, 2023.
In response to the breach, ILS has implemented measures to prevent future incidents, including improvements to their network security environment and enhanced employee training on handling sensitive information.
Iowa Medicaid is taking action to support affected members. Letters are being mailed to all impacted individuals this week, providing details on the compromised information and guidance on protecting themselves from unauthorized use of their data. The letters also offer information on accessing free credit monitoring and obtaining a free credit report.
Medicaid members seeking additional information or assistance can contact Iowa Medicaid Member Services toll-free at 833-257-1764, available Monday through Friday from 8 a.m. to 5 p.m. central daylight time.
This incident underscores the importance of robust cybersecurity measures and vigilance in protecting sensitive information. Organizations must remain proactive in safeguarding data and responding to emerging cybersecurity threats.