Roughly 30,000 Floridians on Medicaid may have had their personal data compromised late last year after an employee with the state’s Agency for Health Care Administration (AHCA) clicked through a malicious phishing email.
The mistake may have exposed Medicaid enrollees’ full names, ID numbers, dates of birth, addresses, diagnoses, medical conditions, and Social Security numbers. The agency, which disclosed the breach last week in a statement (.PDF) posted to its site, said the personal data of up to 30,000 individuals may have been compromised. The AHCA could only confirm that approximately 6 percent of those had their Medicaid ID or Social Security number accessed however.
The agency, which is headquartered in Tallahassee, is primarily responsible for running Florida's Medicaid program, licensure, and regulating health facilities.
According to the announcement the phishing email incident happened on November 15 last year but the breach wasn’t discovered until five days later, on November 20.
It’s unclear exactly what transpired after the employee clicked through the phishing email; whether he or she had malware installed on their machine, or whether or not the attacker managed to gain a foothold on the network. The AHCA only said that the one employee was affected and that no other Agency systems or email accounts were implicated. The agency said it promptly notified the Office of the Inspector General, which carried out an investigation, and that the employee changed their login credentials to prevent further inappropriate access.
While the press release is undated the Associated Press, which reported the news on Saturday, said the agency released the news Friday evening. Administrators at the agency were notified of the OIG’s findings on Tuesday, after the New Year's holiday.
In wake of the breach the AHCA claims it launched an internal security training initiative to prevent future breaches and is working on exploring additional security options.
Phishing emails may not be the most technically savvy mode of attack for cybercriminals but the technique still works and the healthcare industry still remains one of the more lucrative targets for attackers.
A phishing attack at UC Davis Health last May afforded an attacker access to an employee's account and the ability to send emails to other employees. While there wasn't evidence the attacker accessed any patient information, because the employee's email contained information on such information, the health system still had to send letters to 15,000 patients that their data may have been accessed.
The fact the Florida AHCA attack took two months to disclose is actually an improvement over recent healthcare phishing attacks.
The Medical College of Wisconsin waited until November to disclose a breach that affected the facility four months prior, in July. That attack, in which employees wiere targeted with spear phishing emails, resulted in the exposure of 9,500 patients.
An attack at Georgia's Augusta University Medical Center in April last year took five months for the facility to disclose. That incident let attackers gain access to patients' names, addresses, dates of birth, driver’s license numbers, financial account information, prescription details, diagnoses, treatment information, medical record numbers and Social Security numbers.