Failure to Patch Results in 7-Year Breach of Florida Medicaid Applicants’ PHI and Exposure of 3.5 Million Records

The Tallahassee, FL-based Medicaid health plan, Florida Healthy Kids Corporation, has discovered its web hosting provider failed to patch vulnerabilities which were exploited by cybercriminals to gain access to its website and the protected health information of applicants for benefits for the past 7 years. The breach is listed on the HHS’ Office for Civil Rights breach portal as affecting 3.5 million individuals, making this one of the largest healthcare data breaches of all time.

Florida Healthy Kids used Jelly Bean Communications Design, LLC. for hosting its website. The website included an online application that recorded information about individuals when they applied for Florida KidCare benefits or renewed their health or dental coverage online.

On December 9, 2020, Jelly Bean Communications notified Florida Healthy Kids that unauthorized individuals had gained access to the website and tampered with the addresses of several thousand applicants. Florida Healthy Kids engaged cybersecurity experts to conduct an investigation to determine the scope and severity of the breach.

Florida Healthy Kids temporarily shut down the website while the breach was investigated to prevent any further unauthorized access. The review of the hosted website platform and databases that supported the Florida KidCare application revealed several vulnerabilities were present from November 2013 to December 2020, and that the vulnerabilities had been exploited to gain access to the website.

Please see the HIPAA Journal Privacy Policy

While evidence was found showing applicant addresses had been tampered with, it is also possible that the attackers exfiltrated patient data, although evidence of data theft was not found.

The types of information exposed to the hackers included full names, birth dates, email addresses, telephone numbers, physical and mailing addresses, Social Security numbers, financial information, family relationships of individuals included in the application, and secondary insurance information.

The Florida KidCare online application remains offline while a new web hosting vendor is found. Affected individuals started to be notified on January 27, 2020 and have been advised to take steps to protect their identities, including setting up fraud alerts and security freezes.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.