Special to Iredell Free News
Iredell-Statesville Schools reported on Friday that a data breach has affected participants in its flexible spending account plan.
To administer those plans, the school district contracted with a third-party administrator, Interactive Medical Systems Corporation (IMS). On December 31, 2019, IMS received a technical alert concerning the email address of an IMS employee which indicated that the employee’s email account was restricted from sending messages.
IMS found that an unauthorized forwarding rule had been placed on the employee’s email account and immediately took steps to secure that user’s email account; however, there was no indication other accounts within IMS were affected.
IMS initiated an investigation to assess the incident’s scope, including a review of all emails in the user’s account during the compromised period and engaging a third-party cybersecurity firm to perform a comprehensive forensics investigation. There was no indication that Iredell-Statesville Schools systems were involved.
The investigation confirmed that emails within the affected user’s email account between July 19 and December 31, 2019 were exposed to an unknown unauthorized third party as a result of a sophisticated phishing attack.
A phishing attack is a malicious email that appears to be legitimate to entice the user into giving up login information. There would be a link in the email that appears to lead to your own email system login page, but instead takes you to an identical looking page hosted on a malicious server.
IMS assured the school district that it took and is taking steps to prevent a similar event from occurring in the future, and to otherwise protect the privacy and security of plan participant information.
These actions include optimizing network configuration for security, upgrading the IMS email platform for enhanced monitoring and security, implementing multi-factor authentication for email access and electronic data storage systems, and adding a secondary anti-virus detection tool to existing IMS anti-virus detection tools, implementing stricter password management policies, enhancing email threat detection, branding email login pages and improving data privacy training and awareness.
Through the forensic investigation, IMS determined that the categories of personal information exposed varies for each affected individual and may have included: First and Last Name, Last Four Digits of Social Security Number, Transaction Date and Amount, Plan Sponsor/Employer Name, Address. The full Social Security Number was never compromised.
Affected participants were notified by 1st Class Mail on February 14, 2020. Impacted participants may contact IMS between the hours of 10 a.m. and 4 p.m. EST at (833) 315-0436.
IMS notified all affected plan participants of this breach and included information about what they can do to protect themselves.