Florida Health Insurer Discovers Breach of the PHI of 3.5 Million Individuals

One of the largest ever healthcare data breaches has recently been reported by the Florida-based health insurer Florida Healthy Kids Corp. The Department of Health and Human Services’ Office for Civil Rights was notified that the protected health information (PHI) of up to 3.5 million people may have been compromised.

The HIPAA breach did not occur at the health insurer but at one of its vendors. Florida Healthy Kids Corp used Jelly Bean Communications Design to host its website and an application used by individuals to apply for health and dental insurance.

Florida Healthy Kids was notified by Jelly Bean Communications Design on December 9, 2020 that an unauthorized individual had gained access to part of the Florida KidCare application and altered the addresses of thousands of applicants and enrollees.

Florida Healthy Kids engaged a third-party cybersecurity firm to review the security breach, identify how the hackers had gained access to the application, and which individuals had potentially been affected. The investigation revealed there were significant vulnerabilities in the hosted website platform that had not been addressed, with some of those flaws dating back 7 years to November 2013. By exploiting the flaws, the hackers gained access to the application and individuals’ PHI. Had Jelly Bean Communications Design applied patches to correct the vulnerabilities the data breach could have been avoided.

The hackers only altered a subset of individuals’ addresses, although that amounted to several thousand individuals. The hackers also potentially accessed a range of other data including names, dates of birth, telephone numbers, email addresses, Social Security numbers, financial information, and secondary insurance information. The motives behind the attack are unclear.

It is unknown whether the hackers viewed patient data other than the individuals whose addresses were tampered with and whether any of the exposed data was stolen in the attack. The investigation conducted by Florida Healthy Kids and its computer forensics firm found no evidence to indicate any data had been altered other than addresses and no evidence was found to indicate data was exfiltrated by the hackers.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The hackers were kicked out of the website and application in December 2020 and it was taken offline while Florida Healthy Kids searched for an alternative hosting provider.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/