Florida Health Insurer Discovers Breach of the PHI of 3.5 Million Individuals

One of the largest ever healthcare data breaches has recently been reported by the Florida-based health insurer Florida Healthy Kids Corp. The Department of Health and Human Services’ Office for Civil Rights was notified that the protected health information (PHI) of up to 3.5 million people may have been compromised.

The breach did not occur at the health insurer but at one of its vendors. Florida Healthy Kids Corp used Jelly Bean Communications Design to host its website and an application used by individuals to apply for health and dental insurance.

Florida Healthy Kids was notified by Jelly Bean Communications Design on December 9, 2020 that an unauthorized individual had gained access to part of the Florida KidCare application and altered the addresses of thousands of applicants and enrollees.

Florida Healthy Kids engaged a third-party cybersecurity firm to review the security breach, identify how the hackers had gained access to the application, and which individuals had potentially been affected. The investigation revealed there were significant vulnerabilities in the hosted website platform that had not been addressed, with some of those flaws dating back 7 years to November 2013. By exploiting the flaws, the hackers gained access to the application and individuals’ PHI. Had Jelly Bean Communications Design applied patches to correct the vulnerabilities the data breach could have been avoided.

The hackers only altered a subset of individuals’ addresses, although that amounted to several thousand individuals. The hackers also potentially accessed a range of other data including names, dates of birth, telephone numbers, email addresses, Social Security numbers, financial information, and secondary insurance information. The motives behind the attack are unclear.

It is unknown whether the hackers viewed patient data other than the individuals whose addresses were tampered with and whether any of the exposed data was stolen in the attack. The investigation conducted by Florida Healthy Kids and its computer forensics firm found no evidence to indicate any data had been altered other than addresses and no evidence was found to indicate data was exfiltrated by the hackers.

The hackers were kicked out of the website and application in December 2020 and it was taken offline while Florida Healthy Kids searched for an alternative hosting provider.