Ky. health agency discloses possible data breach

Kentucky's main state health agency is notifying about 2,500 individuals that their personal information may have been compromised in an e-mail "phishing" incident.

The incident involved a database kept by the Cabinet for Health and Family Services, which administers Kentucky's state Medicaid program, among other services. No medical records were involved, according to Gwenda Bond, assistant communications director for the agency. It reported the breach to HHS "because the cabinet as a whole has to abide by HIPAA," Bond said.

According to a news release from the agency, in July, an employee in the cabinet's department for community-based services responded to a hacker's phishing e-mail. "Unauthorized activity on the account was identified within a half-hour and the account was immediately disabled," the agency said in the release. "While there is no evidence that the confidential contents of the e-mail account were accessed or viewed, the hacker did have access to the e-mail account for a brief period."

Bond said the data files accessed were those of young people transitioning out of the state's foster-care program and included their names, dates of birth and most recent addresses, but no diagnoses or other medical information.