A data breach at Oklahoma's Department of Human Services is causing concerns. DHS said thousands of people with intellectual and developmental disabilities might have had their information stolen.
Liberty of Oklahoma, which handles an Oklahoma Department of Human Services wait-list is notifying people of the potential for leaked information after the breach in December.
"The personal information involved may include name, address, date of birth, age, phone number, social security number, Oklahoma Client number which could be Medicaid identification number, and representing person’s name, address and phone number. The information exposed did not include assessment information," said Liberty, in a statement.
According to Liberty, "On December 7, 2021, Liberty became aware of a spoofed email account mimicking the email account of a Liberty employee working on the Oklahoma Waitlist Program. The spoofed email account attempted to steal payment owed to Liberty. However, Liberty and OKDHS were able to prevent any theft from occurring. Upon further investigation and a review of the spoofed email account, Liberty discovered that an unknown, unauthorized third party (“Third Party”) accessed a Liberty employee’s email account (“Affected Account”) and may have been able to access certain emails and documents stored within the Affected Account, including an unencrypted spreadsheet containing the personal information of individuals participating in the Oklahoma Waitlist Program that was sent as an attachment to the account. On December 8, 2021, Liberty immediately disabled the Affected Account after learning about the Third Party’s unauthorized access."
Liberty said technology the team, Liberty Healthcare Technology Solutions, responded quickly by disabling the account and said it was only reactivated after the account password was changed and Multifactor Authentication was enabled. Liberty Healthcare Technology Solutions is requiring every employee and user utilize MFA to access their email accounts.
Brian Wilkerson, the Legal Director for the Oklahoma Disability Law Center, wondered why it's taken this long to get in touch with families when they learned about the data breach months ago.
Life is stressful enough for parents like Jed Isbell whose son has autism.
"When you have somebody with intellectual disabilities there's just so many more additional doctor's appointments, therapy appointments, AVA therapy appointments. It's kind of like having a neurotypical child times 5," said Isbell.
Isbell is one of more than 5,000 families on the Oklahoma Waitlist for waiver services for people with intellectual and developmental disabilities.
DHS brought in Liberty of Oklahoma Corporation to help assess the needs of families on that list. Isbell received a letter yesterday from Liberty notifying him of a data breach.
"I know there's a lot of families out there that share my concern that this whole assessment, multimillion dollar assessment that liberty's doing at the request and under contract with DHS is for not... you know it was a waste of time that's just causing additional stress now [...]," said Isbell. "[W]e were always concerned that those funds could be better used to actually provide services rather than do another assessment that's already been done, you know, in the past."
On December 7, Liberty said it discovered a third party accessed a spreadsheet with participants' sensitive information.
Liberty said it's offering free identity theft protection services and recommends that you "remain vigilant for incidents of fraud and identity theft" by "regularly viewing your account statements and monitoring your free credit reports."
Liberty said you can do so by:
"The problem is, is that individuals with adults that might be on the waitlist that might have been affected by this breach are being told we can't even talk to you, you can't sign up for the program, you can't enter any of your information because you're not the individual that would be protected," said Brian Wilkerson, Oklahoma Disability Law Center Legal Director.
Read a statement from the Oklahoma Department of Human resources below:
"OKDHS takes very seriously our responsibility to keep our customers’ personal information safe and holds those with whom we contract to the same high standard for data security. Liberty responded to this situation within one day, quickly minimizing any third-party access, and they are taking steps to ensure customers’ personal information is protected, including offering identity protection services. This situation is emblematic of the very changes OKDHS is trying to make within our service systems, including bringing in modern technology systems that don’t rely upon excel spreadsheets within emails. We understand the concern this situation will undoubtedly cause for our waiting list families. At the same time, the person-centered assessments offered through Liberty are a critical piece to providing navigation services to individuals while they are on the waiting list and helping the agency build a service array that will meet the unique needs of individuals with developmental disabilities and their families for years to come. We hope families will continue to take the assessments and help us make Oklahoma a no wait state."
"If the families don't participate in that process because they're not sure about their information being safe, what does that say about what's gonna happen to their family member that's on the waitlist? Are they going to be removed if they don't cooperate? I certainly think they have a legitimate reason to be nervous about cooperating at this point," said Wilkerson.