Medicaid raid: Phishing attack exposes 30,000 patient files
Social engineering scam underlines importance of opsec training.
The personal details of thousands of Florida residents may have been exposed, after an employee at the state-run Agency for Health Care Administration was duped by a phishing email last year.
A security breach notification published by the agency on Friday warns that “the personal information of up to 30,000 individuals may have been partially of fully accessed”.
The Florida Agency for Health Care Administration is the chief health policy and planning entity for the Sunshine State. It is primarily responsible for administering the state’s $25.2 billion Medicaid program.
The group said it learned of the phishing scam on November 20 – five days after the event took place.
Although the employee in question changed their login credentials in an attempt to stop inappropriate access, the agency said it is possible that Medicaid enrollees’ full names, Medicaid ID numbers, dates of birth, address, diagnoses, medical conditions, and Social Security numbers were accessed.
The agency is now providing a one-year membership in Experian’s IdentityWorks program for those affected by the breach.
While news of the breach may lead some Floridians to question the welcome message that adorns the healthcare group’s homepage (below, emphasis added), the agency said it has initiated new and ongoing training to ensure proper security protocol for all employees.