[BreachExchange] FLORIDA HEALTH INSURER DISCOVERS BREACH OF THE PHI OF 3.5 MILLION INDIVIDUALS

[Destry Winant]

https://www.hipaaguide.net/florida-health-insurer-discovers-breach-of-the-phi-of-3-5-million-individuals/

One of the largest ever healthcare data breaches has recently been
reported by the Florida-based health insurer Florida Healthy Kids
Corp. The Department of Health and Human Services’ Office for Civil
Rights was notified that the protected health information (PHI) of up
to 3.5 million people may have been compromised.

The breach did not occur at the health insurer but at one of its
vendors. Florida Healthy Kids Corp used Jelly Bean Communications
Design to host its website and an application used by individuals to
apply for health and dental insurance.

Florida Healthy Kids was notified by Jelly Bean Communications Design
on December 9, 2020 that an unauthorized individual had gained access
to part of the Florida KidCare application and altered the addresses
of thousands of applicants and enrollees.

Florida Healthy Kids engaged a third-party cybersecurity firm to
review the security breach, identify how the hackers had gained access
to the application, and which individuals had potentially been
affected. The investigation revealed there were significant
vulnerabilities in the hosted website platform that had not been
addressed, with some of those flaws dating back 7 years to November
2013. By exploiting the flaws, the hackers gained access to the
application and individuals’ PHI. Had Jelly Bean Communications Design
applied patches to correct the vulnerabilities the data breach could
have been avoided.

The hackers only altered a subset of individuals’ addresses, although
that amounted to several thousand individuals. The hackers also
potentially accessed a range of other data including names, dates of
birth, telephone numbers, email addresses, Social Security numbers,
financial information, and secondary insurance information. The
motives behind the attack are unclear.

It is unknown whether the hackers viewed patient data other than the
individuals whose addresses were tampered with and whether any of the
exposed data was stolen in the attack. The investigation conducted by
Florida Healthy Kids and its computer forensics firm found no evidence
to indicate any data had been altered other than addresses and no
evidence was found to indicate data was exfiltrated by the hackers.

The hackers were kicked out of the website and application in December
2020 and it was taken offline while Florida Healthy Kids searched for
an alternative hosting provider.