The Agency for Health Care Administration in Florida discovered that an employee’s email account was accessed by an unauthorized person. The employee got a malicious phishing email on November 15, 2017. Unfortunately, he/she responded to the email and disclosed his/her login details so the hacker was able to remotely access the email account. The protected health information of about 30,000 Medicaid enrollees was potentially compromised.
The agency became aware of the data breach on November 20. Immediately, access was blocked by resetting the password. When the agency’s inspector general received a report of the incident, he initiated an investigation of the attack. The investigators just released preliminary findings.
A press release issued by the agency stated that the unauthorized person may have accessed information including names, addresses, birth dates, Medicaid ID numbers, medical conditions, diagnoses and Social Security numbers. About 6% of the persons affected by the data breach either had their Social Security number or Medicaid ID compromised.
Even with the possibility of data access, the Agency for Health Care Administration in Florida had gathered no evidence that suggested misuse of the compromised PHI. As per HIPAA Rules, the potential viewing or theft of sensitive information requires notification of individuals impacted by the incident. The Agency told concerned people to be vigilant and to monitor their accounts for suspicious activities. In addition, all persons impacted by the security breach got offers of free credit monitoring services for one year.
Even before the phishing attack occurred, the Agency has been implementing a staff training program. The attack prompted the management to review the training program and provide re-education of the staff regarding better security protocols. The Agency is taking into consideration the addition of extra security controls to lower the risk of phishing scams.