Nmedia - Fotolia

Florida warns 30,000 medical records may have been exposed

The health agency in the US state of Florida has warned that the records of up to 30,000 Medicaid patients may have been exposed when the agency’s IT systems were breached

Florida’s Agency for Health Care Administration is reportedly blaming a “malicious phishing email” for enabling cyber attackers to gain access to its IT systems.

The agency said it became aware of the incident on 20 November 2017, five days after an employee “was the victim” of the phishing email, reports The Associated Press.

Cyber criminals are increasingly targeting medical information stores because of the wealth of personal information they provide that can be used for identity theft, fraud and related crimes.

Phishing emails are commonly used by cyber criminals to trick employees of a target organisation into launching malware that is designed to steal credentials to give attackers access to IT systems.

The breach was reported to the Inspector General, who ordered an investigation. The agency issued a warning after preliminary findings of that investigation indicate that confidential medical information including names, addresses, dates of birth, diagnoses and medical conditions of up to 30,000 Medicaid patients may have been accessed.

The agency said that no other systems or email accounts were involved, adding that it considers the breach as a very serious matter and is notifying all those Medicaid patients who are potentially affected.

“Prior to the review, the employee changed their login credentials to stop inappropriate access,” the agency said in a statement. “Although the review is ongoing, the agency believes that only approximately 6% of these individuals could be confirmed as having their Medicaid ID or social security numbers potentially accessed.”

Read more about phishing

Although the agency said there is currently “no reason to believe” that the information has been misused, it is offering those affected by the breach a year’s free credit monitoring and set up a support hotline.

The agency said it has taken steps to protect personal information, including a full review of the breach and “new and ongoing security training” for employees, and is exploring additional security options to protect against further breaches.

Security advisors say organisations need to recognise that technical controls alone are not enough to counter phishing attacks and that security awareness is an essential component.

Many organisations conduct regular phishing simulations to “test” employees and measure behavioural change.



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.