Cyber Incident Victim: Timberline Billing Services, Inc.

In February and March 2020, Timberline Billing Services, Inc., a contractor providing Medicaid billing and reimbursement services to over 190 Iowa schools, experienced a cybersecurity incident involving unauthorized access to its networks. Between February 12 and March 4, 2020, an unidentified threat actor encrypted files and exfiltrated data from Timberline's systems. The Oskaloosa Community School District and Knoxville Community School District, two clients of Timberline, were formally notified of the breach on September 2, 2020, approximately six months after the intrusion period concluded. According to Timberline's public statements, the breach did not compromise their internal systems or directly access student records maintained by the school districts. The incident specifically impacted personal information of current and former students covered under Medicaid across multiple educational institutions served by the contractor.

The data security breach exposed sensitive student information, though the exact number of affected individuals across Timberline's client base remained unspecified beyond confirmation that multiple districts were involved. While Timberline asserted no penetration of school district internal systems occurred, the removal of files from their networks resulted in confirmed unauthorized access to protected student data. The incident raised potential regulatory reporting considerations due to the intersection of education records protected under FERPA and health-related information that might fall under HIPAA jurisdiction. No details regarding containment measures, forensic investigations, or remediation efforts were disclosed in available reports. School districts began notifying potentially impacted families following Timberline's September 2020 disclosure, though the full scope of compromised records across all 190+ client schools remained unclear from public information.