Florida Healthy Kids Corporation, a Medicaid health plan based in Tallahassee, FL, learned that its web hosting service provider failed to patch vulnerabilities and cybercriminals exploited it to get access to its site and the protected health information (PHI) of persons applying for benefits in the past 7 years.
Florida Healthy Kids utilized Jelly Bean Communications Design, LLC. to host its website. The website features an online application that documented the information of individuals when they submitted applications for Florida KidCare benefits or applied to renew their medical or dental coverage on the internet.
On December 9, 2020, Jelly Bean Communications advised Florida Healthy Kids that unauthorized people had obtained access to the webpage and meddled with the addresses of thousands of applying individuals. Florida Healthy Kids had cybersecurity professionals who carried out an investigation to find out the extent and severity of the data breach.
Florida Healthy Kids needed to close the site in the course of the incident investigation to avert any more unauthorized access. The evaluation of the website host and databases that retained the Florida KidCare application showed a number of active vulnerabilities from November 2013 to December 2020, and that cybercriminals took advantage of the vulnerabilities to obtain access to the site.
Though evidence revealed the meddling of applicant addresses, it is additionally probable that the cybercriminals copied patient data files, however there was no proof of data theft identified.
The cyber criminals potentially accessed these types of data: full names, dates of birth, phone numbers, Social Security numbers, email addresses, mailing and physical addresses, financial details, family relationships of individuals contained in the application, as well as secondary insurance data.
The Florida KidCare online application is still offline until the health plan finds another web hosting provider. Florida Healthy Kids started informing affected persons on January 27, 2020 and instructed them to take the appropriate measures to secure their identities, which include having security freezes and fraud notifications. There is no exact number yet concerning the number of people impacted.