Iowa-based business associate suffers breach impacting more than 115,000 individuals

Timberline Billing Service LLC, a third party that provides Medicaid reimbursement billing services to 190 school districts in Iowa, reported a security incident October 30 that affected 116,131 individuals, according to the Office for Civil Rights (OCR) breach report.

According to the security notice posted on the Lewis Central Community Schools website, Timberline noticed suspicious activity on its network impacting certain servers and systems on March 5. Timberline later determined that an unknown actor accessed its network between February 12 and March 4, deployed ransomware, encrypted certain files, and removed information from the network.

Timberline’s investigation determined the following information may have been accessed:

• Billing or claims information
• Date of birth
• Name and Medicaid ID number
• Treatment information
• Support service code and identification number
• Social Security number

Following its investigation, Timberline reported the incident to Lewis Central Community School District on September 2. Timberline also reported the incident to law enforcement, according to the security notice. 

Timberline is taking steps to improve the security of its systems, including upgrading all servers and firewalls, resetting all user passwords and requiring frequent password rotations, and migrating school and student data to a cloud location.