Metzger, a Democrat, says Alera Group, the vendor that administers benefits for county employees, experienced a data breach involving employee data in August of last year. Ulster County is self-insured, and Alera Group helps connect the county with third-parties like Anthem Blue Cross Blue Shield, Magellan RX and Delta Dental.
Ulster County Comptroller March Gallagher, also a Democrat, says several people with the county were notified last August that Alera had experienced a “cyber incident,” but it wasn’t clear whether county employee data was at risk. She says the county didn’t learn that employee data was part of the breach until it received a hard-copy letter from Alera in June — and after employees started receiving numerous notifications from parties like Anthem and Magellan.
“It became abundantly clear when people started receiving 24 pieces of mail at their home address in one day," Gallagher tells WAMC.
Gallagher says the breach involved employee names, birthdates, social security numbers, and even medications and medical diagnoses in some cases. She says Alera is offering two years of free credit monitoring for Ulster County employees through a third-party provider.
Alera Group did not return multiple requests for comment from WAMC. It has a post on its website dated May 21, which says Alera experienced a “privacy incident” in which data may have been removed from its network as a result of “unauthorized access to the Alera Group technology environment” between July 19 and August 4 of 2024.
The post adds that Alera was not aware of any identity theft or fraud resulting from the breach at that time, and that, "We have taken steps to secure our environment and completed a thorough and comprehensive investigation with the assistance of third-party cybersecurity specialists. We have implemented additional cybersecurity measures to further protect our environment. The confidentiality, privacy and security of information in our care is among our highest priorities.”
Metzger maintains “immediate action should have been taken by the Alera group to enroll employees in credit monitoring at the point of the data breach.” Metzger says she is notifying the New York State Attorney General’s Office and considering legal action over the situation.
Gallagher says the county is specifically looking at whether the June letter was a sufficient and timely notification from Alera, according to its contract with the county. The comptroller says she’ll be looking at Ulster County’s internal controls around cybersecurity.
“Is our cyber-breach material up to date? Do we have appropriate processes in place?" she wonders. "And with respect to receiving a communication like this, do we have the internal controls necessary to make sure that everyone is alerted and aware in a timely manner? So we’re going to be reviewing even how mail comes in and is addressed."
The sheer number of notifications that employees received from third-parties has her worried that multiple entities working with Alera Group may have access to county data, Gallagher says, even though they are not under direct contract with the county.
“There were others that we didn’t necessarily know about, that we’re asking questions now, ‘Who are these entities that have access to our data?’” asks Gallagher.
In the meantime, Gallagher says staff at the Ulster County Personnel Department are available to help employees who want to enroll in the credit-monitoring program.
“People should be careful out there. This is becoming a more common situation," Gallagher notes. "People need to be careful not only with their own personal information, but when they’re operating systems either at home or for an employer or at a volunteer place where they serve. Be careful what you click on. We don’t know exactly how the Alera Group breach occurred, but people should be very careful and circumspect when they receive communications that may require them to put information or click on a link.”
