Cyber Incident Victim: Scott County
Date:
Oct 2021
Location:
United States of America
Summary
Scott County experienced unauthorized access to three employee email accounts, prompting an investigation that revealed potential exposure of sensitive personal information including names, addresses, Social Security numbers, medical records, health insurance details, and financial data. The breach impacted clients, employees, and individuals receiving county-facilitated healthcare services, though no evidence of actual misuse was identified. Notification efforts proceeded as a precautionary measure following a comprehensive review of compromised email contents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 30, 2021, Scott County, Iowa, detected suspicious activity involving an employee email account that was transmitting unauthorized messages to internal and external recipients. The county immediately initiated an investigation to determine the cause and secured the compromised account. With assistance from an external computer forensics specialist, the investigation revealed that an unauthorized actor had gained access to three employee email accounts on October 27, 2021—over a month prior to detection. Due to the inability to ascertain which specific emails were accessed or viewed by the threat actor, the county undertook a comprehensive review of all contents within the affected accounts to identify potentially exposed information. This review concluded on February 22, 2022, confirming that data related to county clients, employees, and individuals who received healthcare services facilitated by Scott County may have been compromised. The county emphasized it found no evidence of actual or attempted misuse of information but proceeded with notifications as a precautionary measure.
The investigation determined the exposed information varied by individual but potentially included names, addresses, dates of birth, Social Security numbers, medical details, health insurance information, and financial account data. Scott County began verifying the specific information at risk and collecting address details for affected individuals to facilitate direct notification, a process still underway as of the April 22, 2022, public disclosure. The county’s response included securing the breached accounts upon detection, conducting forensic analysis to establish the incident scope, and systematically reviewing email contents to identify impacted parties. No details regarding the attack vector, threat actor identity, or specific mitigation measures beyond account security were disclosed. The notification advised potentially affected individuals to remain vigilant but did not offer credit monitoring or other remediation services, reflecting the county’s assessment that no confirmed data misuse had occurred.