Third-party breach exposed data on 3.5 million, Florida insurer says
More than 3 million people who applied or enrolled for coverage from health insurer Florida Healthy Kids Corp. may have had data exposed in a seven-year long breach.
The breach, which Florida Healthy Kids said took place at the company that previously hosted its website, affected an estimated 3.5 million people, according to a report that Florida Healthy Kids submitted to HHS’ Office for Civil Rights in January. The HHS agency publicly posted the report to its online database of healthcare data breaches in an update Friday.
That’s a sizeable breach to be reported in the first month of 2021. The largest healthcare data breach reported in all of 2020 compromised data on nearly 1.3 million patients.
Florida Healthy Kids in a notice on its website said the street addresses of a several thousand people—a subset of the 3.5 million people reported to OCR—who applied for the insurer’s Florida KidCare coverage online between November 2013 and December 2020 had been “inappropriately accessed and tampered with” by hackers.
The hack took place on the company Jelly Bean Communications Design’s web hosting platform, according to Florida Healthy Kids. The affected addresses were collected as part of the Florida KidCare application.
Florida Healthy Kids said it was notified about the breach on Dec. 9. HHS gives HIPAA-covered entities 60 days from when they discover a data breach to notify the department.
Florida Healthy Kids has since hired an independent cybersecurity firm to review the breach, who identified “significant vulnerabilities in the hosted website platform and the databases” that could have exposed additional information on people who applied for or were enrolled in the insurer’s coverage in the same timeframe, according to the insurer.
The vendor, according to Florida Healthy Kids, allegedly had not applied security patches to its software.
Jelly Bean Communications Design did not immediately respond to a request for comment.
Personal data that may have been exposed through vulnerabilities in the website platform and databases include name, date of birth, email address, telephone number, financial information, secondary insurance information and Social Security number. Florida Healthy Kids has not found evidence to suggest information other than addresses were altered.
“FHKC is committed to taking every reasonable step to prevent future breaches, which will include a review of our current security practices and policies to identify ways to strengthen them,” reads a notice from Florida Healthy Kids. “FHKC is accelerating efforts previously underway to transition the website to a new vendor.”
Florida Healthy Kids is just the latest example of a healthcare organization notifying patients of data exposure after a breach at a third-party company.
UPMC in Pittsburgh last week reported a cybersecurity incident that compromised data on roughly 36,100 patients after an email breach at a law firm it uses for services related to billing. In 2019, LabCorp and Quest Diagnostics notified millions of patients after a massive data breach at the vendor American Medical Collection Agency.