An unauthorized individual has gained access to a single email account of a staff member at the Agency for Health Care Administration in Florida using a phishing scam.
The staff member was sent, and responded to, a malicious phishing email on November 15, 2017 and shared login details that permitted the attacker to remotely access his/her email account and, potentially, the protected health information of up to 30,000 Medicaid enrollees.
The agency identified the security breach on November 20 and enacted a password reset to prevent further access. The phishing incident was also reported to the agency’s inspector general, who began an investigation into the phishing attack. Preliminary reports from that investigation were released to the public late last week.
An agency press release on Friday indicated that the unauthorized individual may have partially or fully accessed information including names, Medicaid ID numbers, addresses, dates of birth, diagnoses, medical conditions, and Social Security numbers. Roughly 6% of people in harm due to the incident had either their Medicaid ID or Social Security number exposed.
While data access was a potential outcome of the successful attack, Florida’s Agency for Health Care Administration has not yet found any evidence to indicate the compromised protected health information has been stolen. Since sensitive information has potentially been viewed and stolen, individuals impacted by the incident have been told to be careful and over look their accounts for signs of fraudulent activity. All peopleimpacted by the breach have been offered complimentary credit monitoring services for a period of 12 months.
Previous to the phishing attack taking place, the Florida Agency for Health Care Administration had put in place a continual staff training program, although the incident has resulted in a review of that program and staff have now been reeducated on appropriate security protocols and the dangers of phishing attacks. The agency is also considering extra security controls to reduce the danger posed by phishing.