Cyber Incident Victim: Barrow County
Date:
Mar 2022
Location:
United States of America
Summary
Barrow County experienced a breach of its email environment over several months, compromising sensitive personal and medical information including names, Social Security numbers, financial account details, clinical treatment data, prescription records, and insurance information. The county initiated an internal investigation and engaged a forensic security firm upon discovering the incident, though the specific discovery timeline remains undisclosed. Notification to affected individuals occurred significantly later, with the breach notice failing to disclose the total impacted population, the timeframe of vulnerable emails, or the reason for the delayed notification process. The relationship of the exposed health data to specific healthcare entities or regulators was not clarified in available disclosures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Barrow County, Georgia, experienced a breach of its email environment between March 2022 and August 2022, though public notification did not occur until June 2023. The compromised data included sensitive personal, financial, and medical information such as names, dates of birth, Social Security numbers, driver’s license or state ID numbers, financial account details, credit/debit card information with expiration dates and CVV codes, clinical treatment details, medical provider names, prescription records, insurance policy information, and patient account or medical record numbers. The county’s public notice confirmed the breach impacted individuals variably, with not all data elements exposed for every affected person. The breach notification, posted on the county’s website, did not disclose when the intrusion was initially detected or the specific circumstances leading to its discovery. It stated only that upon learning of the incident, Barrow County launched an internal investigation and engaged a forensic security firm to investigate and secure its email and computer systems. The county did not specify the number of affected individuals, the timeframe of the vulnerable emails, or the reason for the delay between discovery and notification.
The county’s response included securing its systems and initiating an investigation with third-party forensic experts, though no additional technical containment measures were detailed in the public notice. The notification omitted whether the exposed health data originated from the county’s role as a health plan, provider, or business associate of Northeast Georgia Medical Center, and it did not confirm if the U.S. Department of Health and Human Services (HHS) was notified of the breach involving protected health information. The lack of contact information on the county’s website limited opportunities for external inquiries into unresolved details, including the discovery timeline, root cause, and total impacted population. No threat actor or attack vector was identified in the available public statement, and the county did not disclose whether law enforcement was involved in the investigation. The breach’s operational consequences, such as system downtime or service disruptions, were not addressed in the notification.