COLUMBUS, Ohio (WCMH) — Some health records were included in a database that was part of the July 2024 cyberattack on Columbus’ computer systems.
The city said Monday in a press release that a limited amount of protected health information for less than 1,000 people in a Columbus Division of Fire database was leaked as part of the attack.
According to the city, the breached database included a number of records that could have contained notes about emergency medical services provided at fire calls; this information, while not the same for everyone, could include names, addresses, a person’s date of birth, the date of medical service, and notes about the services provided. The city adds that a few Social Security numbers were included in the breach.
The Columbus Division of Fire will contact by mail those affected by the breach; those people will be eligible for two years of free credit and dark web monitoring.
A massive ransomware attack on the city in July 2024 led to hundreds of thousands of people’s private information being placed on the dark web. That information included names from domestic violence cases, Social Security numbers for police officers and crime victims, and personal information for residents and visitors to Columbus City Hall over the last 20 years.
The cyber attack was traced back to a group known as Rhysida which initially attempted to auction off the information before leaking it to the dark web.
As a result of the attack, the city offered two years of free credit monitoring to anyone who chose to accept the offer. Anyone wanting to take advantage of the offer has until March 31 to sign up. Click here to be taken to the city’s sign-up page.
“I do want the public to know the council is engaged in its oversight and accountability role, and we will continue to do that throughout this process,” Councilmember Nick Bankston said.
“The city has determined that to complete our investigation, we must obtain state certification to review this data. Our current understanding is that approximately four databases may contain serious data. These results are subject to change as our investigation continues,” Department of Technology Director Sam Orth said.
Councilmembers voted to incorporate an FBI CIJS security addendum to the contract between the city and the firms defending it. It’s an important step when it comes to protecting data.
“Criminal Justice Information Services, it’s a division of the FBI,” SecureCyber CEO Shawn Waldman said.
It was formed to oversee cybersecurity compliance. It also provides guidance for viewing, storing and destroying sensitive data.
“Think police departments, prosecutors’ offices, anybody that handles what they call CJI or Criminal Justice Information, and it’s designed to basically safeguard that data,” Waldman said.
In this case, employees of the law firms overseeing the breach investigation for the city could see half a million people’s sensitive information, posted by hackers on the dark web and the addendum ensures they comply with FBI guidelines.
“It’s anything involving names, date of birth, social security numbers, kind of your typical PII, personally identifiable information,” Waldman said.
NBC4 Investigates was first to show you the Columbus Police Crime Matrix Database was breached in the attack. It included graphic incident records, social security numbers, addresses and phone numbers of victims.
“There are very specific rules in place for what you are allowed to do with it, the confidentiality piece it’s basically a security piece that you do not take advantage of the data you were accessing,” Waldman said. “Basically everything we saw that came out of the breach of Columbus is pretty much covered under CJI.”
The investigation has been happening for months and almost every piece of stolen data we have uncovered would fall into this CJIS category.
NBC4 Investigates asked the city why this step is being taken now and if the law firms were looking at the data without this compliance. They did not answer our questions or give us time for an interview with Orth. We will keep trying.
