7-Year Breach of Florida Medicaid Applicants’ PHI Due to Failure in Patching

Florida Healthy Kids Corporation, a Medicaid health plan based in Tallahassee, FL, found out that its web hosting company did not patch vulnerabilities and cybercriminals exploited it to obtain access to its site and the protected health information (PHI) of individuals applying for benefits within the last 7 years.

Florida Healthy Kids employed Jelly Bean Communications Design, LLC. for website hosting. The website has an online application that logged the data of individuals when they sent applications for Florida KidCare benefits or requested to renew their health or dental coverage on the web.

On December 9, 2020, Jelly Bean Communications informed Florida Healthy Kids that unauthorized persons had acquired access to the webpage and made changes to the addresses of a few thousand applicants. Florida Healthy Kids had cybersecurity specialists who conducted an investigation to know the magnitude and severity of the security breach.

Florida Healthy Kids had to shut down the web page during the breach investigation to avoid any further unauthorized access. The analysis of the website platform and databases that kept the Florida KidCare application revealed some existing vulnerabilities between November 2013 and December 2020, and that cyber criminals exploited the vulnerabilities to get access to the website.

Although the evidence showed the tampering of applicant addresses, it is likewise possible that the hackers exfiltrated patient information, though there was no evidence of data theft found.

The hackers possibly accessed the following types of information: full names, birth dates, telephone numbers, Social Security numbers, email addresses, physical and mailing addresses, financial data, family relationships of persons provided in the application, and secondary insurance details.

The Florida KidCare online application stays offline while the company finds a new web hosting vendor. Florida Healthy Kids began notifying affected individuals on January 27, 2020 and advised them to take the proper steps to safeguard their identities, including creating security freezes and fraud alerts. There is no clear number yet regarding the number of people impacted.