Anti-Phishing, DMARC , Breach Notification , Data Breach

Phishing Exposed Medicaid Details for 30,000 Floridians

No Misuse of Exposed Data Has Been Reported - Yet
Phishing Exposed Medicaid Details for 30,000 Floridians
Headquarters of Florida's Agency for Health Care Administration in Tallahassee. (Photo: Google Maps)

Personal details for 30,000 Medicaid recipients in Florida may have been exposed after a government employee fell victim to a phishing attack, officials in the state say.

See Also: Live Webinar | Don't Break the Bank: Achieve Compliance Quickly and at Scale

The disclosure comes from the state's Agency for Health Care Administration, which regulates healthcare facilities and is responsible for administering Medicaid.

A press release on the regulator's website is undated, but the Associated Press reported it was posted Friday evening.

The exposed information may have included full names, Medicaid identification numbers, birthdates, Social Security numbers and addresses. Also possibly exposed were the medical conditions of enrollees.

Phishing attacks are one of the most pedestrian methods for stealing information, but they remain still highly effective. The attacks, which get executed via email, often try to trick a victim into following links to malicious sites.

One of the most common ruses is warning people of an issue with their login credentials for a service, then leading them to a look-alike but false domain that collects their authentication credentials. Criminals can use these credentials to authenticate themselves to legitimate sites in the victim's name.

Despite improved warnings from web browsers when they detect sites that lack proper security certificates, as well as improved detection of phishing sites in general by security defenses, phishing attacks continue to snare many individuals.

"Large-scale medical hacks are horrible in themselves, but sometimes it's the ease of the hacks that's scary," writes Troels Oerting, group CISO for Barclays Bank, on Twitter.

ID Numbers Exposed

The Agency for Health Care Administration writes that it learned of the phishing attack on Nov. 20, 2017, five days after it occurred.

It then reported the incident to Florida's inspector general, which is continuing to investigate if residents' protected health information was affected. The phished employee's login credentials were changed prior to the inspector general's review, state officials say.

The agency believes that personal information for up to 30,000 individuals was partially or fully exposed. It has confirmed that about 6 percent of victims - or 1,800 - had their Medicaid ID or Social Security numbers potentially accessed.

As is customary with such incidents, the agency is offering victims a one-year membership with an identity theft monitoring service, in this case, from Experian. It has also set up a hotline for victims, which is 1-844-749-8327.

Billion-Dollar Medical Fraud

The agency says there are no indications that exposed information may have been misused. But often with data breaches, fraudsters capture so much information that it is impossible to immediately convert it all to illegal gain.

Medicaid, one of the largest U.S. government programs, provides healthcare benefits to tens of millions of low-income people. The federal government has waged a years-long battle to reduce billing-related fraud, which costs billions of dollars annually.

Last July, the Department of Justice charged 412 people for schemes that resulted in $1.3 billion in fraudulent billings. Such scams typically get executed via corrupt medical providers, who submit false invoices to the government, the Justice Department says. "In many cases, patient recruiters, beneficiaries and other co-conspirators were allegedly paid cash kickbacks in return for supplying beneficiary information to providers," the Justice Department said.

The U.S. Department of Health and Human Services warns consumers to keep abreast of provider names on healthcare bills and report suspicious activity. It also advises them to "guard your Medicare and Social Security numbers" and to "treat them like you would your credit cards."

While such advice remains timely and pertinent, it alone cannot protect consumers. As breaches of data aggregators such as Equifax have shown, service providers who collect - and sometimes lose - personal information also continue to pose a clear and present danger to consumers' privacy and vulnerability to identity theft schemes (see Equifax: Breach Exposed Data of 143 Million US Consumers).


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.