Fraud Management & Cybercrime , Healthcare , Industry Specific
Reports: Florida Health Department Dealing With Data Heist
RansomHub Group Claims It Began Leaking 100 Gigabytes of Stolen InformationThe Florida Department of Health is dealing with a cyberattack involving the theft of sensitive health and personal information. Cybercriminal gang RansomHub reportedly claims that it began to publish 100 gigabytes of data stolen in the hack, which is the latest in a series of at least a dozen major health data breaches so far this year that involve public health departments.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
RansomHub threatened to begin publishing the stolen Florida Department of Health data unless the state paid a ransom by last Friday, but it is illegal for any Florida government state agency to pay extortionists, according to reporting by local media site 4NewsJax.
The state confirmed that the incident affected the Department of Health's vital statistics system used to issue birth and death certificates, but it has declined to provide further details, 4NewsJax said. The Miami Herald reported that the incident disrupted tax collector offices and funeral homes in the state, which routinely have to access that system.
The Florida Department of Health did not immediately respond to Information Security Media Group's multiple requests for comment.
According to reporting by StateScoop, RansomHub, which has claimed responsibility for several other recent data extortion schemes, including attacks on Christie's and Change Healthcare, began publishing the stolen Florida Department of Health data on July 5, after the state refused to pay the gang.
Other Incidents
The Florida Department of Health hacking incident is the latest of many recent attacks and other major health data breaches involving public health departments.
"State and local health departments hold vast amounts of sensitive personal and medical information, making them lucrative targets for hackers seeking data they can monetize," said Jon Moore, chief risk officer at privacy and security firm Clearwater.
"Additionally, these departments often operate with limited cybersecurity resources, which can make them more vulnerable to attacks."
Public health departments face an array of internal and external challenges that, combined, make them an attractive target for cybercriminals, said Tom Walsh, president of privacy and consulting firm tw-Security.
"The leaders of state, county or city governments are elected officials. With limited budgets, the leadership - elected officials - will want to fund projects that provide the most tangible benefit to their electorate," Walsh said.
"Public health is a necessary service, but it doesn't have the same appeal to the public as building a new park. The needs of the elected official may outweigh the need for better cybersecurity. Funding could be channeled away from security to some project that might improve someone's chances of being re-elected."
Meanwhile, state, county and city governments often struggle to compete for talented IT staff, let alone cybersecurity expertise, because they generally pay less than large corporations, Walsh said.
"In rural areas and smaller municipalities, elected officials will likely not have the same depth of knowledge that a career bureaucrat, working within a health department, would have. Therefore, they may not fully understand the consequences that could occur for underfunding IT, cybersecurity or the health department."
Public health departments share important data with other trusted partners, such as hospitals, clinics and labs, Walsh said.
"If an attacker can successfully compromise a health department, this could create new opportunities to expand their attack base, knowing that other entities will have a certain level of trust from any exchanges coming from the health department."
Even when state or local governments have strict policies against paying ransoms, hackers may not be aware of these policies or the government's resolve in abiding by them, Moore said.
"Hackers often target these entities despite no-ransom policies because even unsuccessful ransom demands can disrupt operations, causing significant damage and potentially lead to financial gain through secondary means, such as selling stolen data on the dark web or even personally extorting the individuals whose information was stolen," Moore said.
As of Monday, the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website shows at least a dozen other major health data breaches affecting nearly 444,000 individuals reported so far in 2024 by state and local public health departments.
The largest such breach - a hacking incident affecting nearly 253,000 individuals - was reported in April by County of Los Angeles Departments of Health Services and Public Health.
In total, the HHS OCR website shows 190 major breaches - including 64 hacking incidents - reported by public health departments since September 2009.
To date, the Colorado Department of Health Care Policy and Financing reported the largest such breach in 2023 - a hacking incident that affected nearly 4.1 million individuals. That breach involved the Clop cybercrime group's MOVEit hack (see: Data Theft Via MOVEit: 45 Million More Individuals Affected).
"Local and public health departments should prioritize implementing strong foundational controls" including comprehensive security training for staff, regular updates and patching of systems, implementing multifactor authentication, endpoint detection and response, conducting frequent security assessments to identify and address vulnerabilities proactively, and conducting regular risk analyses to understand and mitigate potential threats effectively, Moore said.
"These controls should be aligned with and built on recognized security practices like the NIST Cybersecurity Framework or the Health Industry Cybersecurity Practices."