The Iowa City Community School District informed families on Tuesday the company that handles Medicaid billing and reimbursement for the district was hacked and student data may have been stolen.
“On September 2, 2020, Timberline informed us that an unknown actor accessed its network between February 12, 2020 and March 4, 2020, encrypted certain files, and removed certain information from its network,” ICCSD said in a statement.
Timberline told the district the hackers have not been identified and it is not certain how much information was exposed in the hack. But, according to ICCSD, the company has “determined that the files [accessed by the hackers] contained some of our current and former students’ information, including names, dates of birth, Medicaid identification number and related billing information. In very limited instances, a student’s Social Security number was also included in the files.”
Timberline told ICCSD and other school districts whose data was involved in the hack that it was unaware of “any misuse of the data as a result of this incident.”
The company began sending letters to students whose information may have been stolen on Tuesday. It is offering free credit monitoring and identity protection services to students affected by the hack.
Since 1988, Medicaid has covered approved medical expenses for students at schools under the Individuals with Disabilities Education Act.
Timberline, a Des Moines-based company, was founded in 2007 “to fill a niche in the Medicaid reimbursement claiming for Iowa school districts,” according to its website. It handles Medicaid billing and reimbursement for school districts and regional educational agencies in Iowa and Illinois, covering more than 200 schools.
“We want our parents and students to know that we are taking this matter very seriously,” ICCSD said in its statement. None of the district’s own computers were compromised in the hack.
ICCSD said Timberline told them it “is taking steps to enhance the security of its systems, including upgrading all servers and firewalls, resetting all user passwords, requiring frequent password rotations, and migrating school and student data to a cloud location.”
Timberline has set-up a call center for anyone with questions about the data breach. The center can be reached Monday through Friday from 8 a.m. to 10 p.m. at 844-439-7669.
