Share this article on:
Reports of phishing attacks on healthcare organizations are arriving thick and fast. The latest HIPAA-covered entity to announce it has fallen victim to a phishing scam is Florida Healthy Kids Corporation, an administrator of the Florida KidCare program.
On July 25, 2017, phishing emails started to arrive in the inboxes of members of staff, some of whom responded and inadvertently gave the attackers access to the sensitive information of members of the KidCare program. The phishing attack was identified the following day and access to the compromised email accounts was immediately blocked. While the incident was mitigated promptly, the attackers had access to email accounts and data contained in those accounts for approximately 24 hours.
During that time, it is possible that the emails were accessed and sensitive information copied, although no reports of abuse of that information have been received and it is not clear whether any information was actually stolen.
An analysis of the compromised email accounts revealed the personal information of 2,000 individuals was potentially accessed. On September 7, 2017, 1,700 individuals were notified by mail that their information had potentially been compromised. The remaining 300 could not be contacted as no valid contact information was held. A substitute breach notice has been uploaded to the healthykids.org website, and a notice added to all online accounts to alert affected individuals when they next login to their accounts.
The types of information exposed includes names, addresses, phone numbers, family account numbers, and Social Security numbers. Since passwords were not exposed, Florida KidCare online family accounts could not be accessed by the attackers. Individuals impacted by the breach have been offered credit monitoring services for 12 months without charge through LifeLock.
Florida Healthy Kids Corporation said policies and procedures will be updated to prevent similar breaches from occurring in the future.