MDC HIPAA Media Notice

Jefferson City, Mo. — In February of this year, the Missouri Department of Conservation (MDC) was notified by its cybersecurity team of unauthorized access into one of its servers. MDC quickly activated its Incident Response Team to analyze MDC systems to remediate any issues and to gain further clarity on the scope of suspicious activity, including notifying staff and the public. A review of reasonably available information did not indicate any material subject to the unauthorized access was protected health information (PHI) covered by HIPAA’s Privacy Rule.

In April, after additional analysis, MDC determined that some files impacted by the unauthorized access contained PHI. Specifically, MDC has determined that current and former beneficiaries of the Department’s health benefits plan may have been impacted by the unauthorized server access. While MDC cannot confirm exactly what data has been affected for each impacted individual, the information involved may have included contact information (i.e., name, address, date of birth, phone number, and email) and one or more of the following:

• Health benefits plan enrollment information; and/or
• Other personal information such as Social Security numbers, driver’s licenses numbers, or state ID numbers.

MDC continues to investigate the unauthorized access to include coordinating with law enforcement. In the meantime, there are some steps individuals can take to protect themselves, including:

• Individuals should monitor any benefits statements received from health care providers, as well as bank and credit cards statements, credit reports, and other similar documents for any unfamiliar activity.
• Individuals should contact their medical provider or health plan if they identify health care services that they did not receive on an explanation of benefits statement.
• Individuals should contact their financial institution, credit card company, or other applicable agency if they notice any suspicious activity on bank or credit card statements or on tax returns.
• Individuals should contact local law enforcement authorities if they believe they are victims of a crime.

Privacy and security remain priorities for MDC. In response to this incident, MDC immediately took action to identify, isolate, and protect the impacted IT systems. MDC has implemented additional safeguards in addition to the IT security policies and procedures already in effect. MDC continues to monitor its servers, other IT systems, as well as leveraging the support of third-party cybersecurity partners.

This media notice represents one part of MDC’s larger notification process and contains the information that MDC can share at this time. MDC is in the process of providing direct, written notification to potentially impacted individuals. MDC has also provided substitute notification on its website for potentially impacted individuals that may not have sufficient address information on file with the Department.

MDC regrets the inconvenience and concern that this incident may have caused to our team, retirees, and current or former beneficiaries of our health benefits plan. MDC will provide complimentary credit monitoring services to impacted individuals that are concerned their information may have been impacted. More information about complimentary credit monitoring services will be provided in the coming weeks. Individuals who believe they have been affected by this unauthorized access may contact the Department toll-free at 800-392-3111 or PrivacySupport@mdc.mo.gov. Additional contact information is provided below.