Out of an abundance of caution, we are writing to inform you of a data security incident involving Timberline Billing Services, LLC (“Timberline”). Charles City Community School District takes the security of student information very seriously, and we sincerely apologize for any inconvenience this incident may cause. While we are unaware of any actual misuse of student information, we are providing you with information about the incident, Timberline’s response, and the steps you may take to better protect against possible misuse of your / your child’s personal information, should you feel it necessary to do so.
Who is Timberline and Why Did They Have My Child’s Information?
Timberline provides Medicaid reimbursement billing services for covered IEP services to 190 school districts in Iowa, including Charles City Community School District. In September 2020, Timberline notified Charles City Community School District that Timberline experienced a cybersecurity incident which resulted in the exposure of personal information maintained by educational institutions and processed by Timberline. Charles City Community School District was first notified of this incident by Timberline on September 2, 2020.
On March 5, 2020, Timberline noticed suspicious activity on its network impacting certain servers and systems. Timberline launched an investigation to determine the nature and scope of this activity. Working with outside computer forensics specialists, Timberline determined that an unknown actor accessed Timberline’s network between February 12, 2020 and March 4, 2020, encrypted certain files, and also removed certain information from Timberline’s network; however, the investigation was unable to determine which specific information was actually removed. Therefore, out of an abundance of caution, Timberline undertook a comprehensive and time-intensive review of all files that could have been impacted. This review was recently completed and determined that protected health information and/or personal information relating to student information was present in files that may have been compromised.
What Information Was Involved?
Based on the information we have received from Timberline, Timberline’s investigation determined the following types of student information may have been involved: name and Medicaid ID number, billing or claims information, date of birth, medical record number, support service code & identification number, and treatment information. To date, Timberline is unaware of any actual or attempted misuse of personal information as a result of this incident.
What is Being Done in Response to this Incident?
The security, privacy, and confidentiality of student personal information are among our highest priorities. Upon learning of this incident, Timberline moved quickly to investigate and respond to the incident, assess the security of relevant Timberline systems, and identify potentially affected individuals. Timberline also reported this incident to law enforcement. Timberline is taking steps to enhance the security of its systems in addition to the robust security measures already in place including upgrading all servers and firewalls, resetting all user passwords and requiring frequent password rotations, and migrating school and student data to a cloud location.
While we are unaware of any misuse of anyone’s information as a result of this incident, we are offering affected students access to 12 months of minor identity monitoring through Experian at no cost to you.
What Can Impacted Individuals Do?
Timberline has established a dedicated assistance line for individuals seeking additional information regarding this incident. Individuals seeking additional information may call toll-free assistance line at (844) 439-7669. This toll-free line is available 8:00am to 10:00pm CT Monday through Friday, and 10:00am to 7:00pm CT Saturday through Sunday, excluding U.S. holidays.