Incident Of The Week: Phishing Scam Affects 30K Medicaid Members



Dan Gunderman
01/12/2018

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine a phishing incident within Florida’s Agency for Health Care Administration, which may have led to the exposure of up to 30,000 Medicaid patients.

The news was announced by the AHCA on Jan. 5. The agency said that one of its employees became the victim of a “malicious phishing email” on Nov. 15, 2017. This snowballed into the potential data leak of up to 30,000 data sets, according to a statement from the agency.

The AHCA indicated that it learned of the phishing scam five days later, Nov. 20. At that point, the Inspector General was notified and began an investigation. Its mission: to determine whether sensitive medical data was tampered with.

See Related: 'Lying Eyes' Are Deceiving: Cyber Security Is Actually On The Rise

Preliminary findings point to the potential exposure of: Medicaid enrollees’ full names, Medicaid ID numbers, dates of birth, addresses, Social Security numbers and medical conditions/diagnoses.

Outside of this potential data leak, the agency said that none of its other systems were compromised.

The agency wrote, “Prior to the review, the employee changed their login credentials to stop inappropriate access… Although the review is ongoing, the agency believes that only approximately 6% of these individuals could be confirmed as having their Medicaid ID or social security numbers potentially accessed.”

The agency said it has “no reason to believe” that individuals’ information has been “misused.” Still, it’s using caution – in providing a one-year membership in Experian’s IdentityWorks program for those affected by the breach. It’s free for those who’ve been identified. Enrollees are also asked to call the agency’s hotline for more information.

“The Agency takes this matter very seriously and have (sic) taken steps to protect personal information and the Agency took swift action to help prevent this type of event from happening again,” the statement continues.

More specifically, the AHCA said it remediated the breach and reviewed impacted information, reviewed the agency’s IT data, initiated new and ongoing security training and is exploring additional security options.

See Related: Evaluating Risk Leads To Proactive Security Practices

In accordance with state and federal law, those enrollees potentially affected by the breach are being notified and provided information on the aforementioned credit monitoring services.

News of this phishing campaign and potential breach comes in a new year that’s expected to see a sharp rise in healthcare IT security budgets, as the Cyber Security Hub recently reported.

In a survey (entitled “Top of Mind for Top U.S. Health Systems 2018”) carried out by the Center for Connected Medicine, in partnership with the Health Management Academy, nine out of 10 leaders in healthcare indicated that they will increase the cyber security technology spend in the new year.

It appears this spending increase will be a push toward more robust network defense – in an effort to protect against AHCA-like breaches.

Similarly, the overall cyber security spend is projected to rise steadily in 2018. As reported in another recent Cyber Security Hub story, Gartner is projecting that spending will increase 8% this year – to $96.3 billion.

Analysts believe the surge is due to a number of factors, a few of which include the sheer number of breaches, anxiety about said breaches and emerging technology to detect threats and handle incidents in real time.

Give It A Look: Incident Of The Week: 247K DHS Workers Exposed In Data Breach