Electronic Healthcare Records
No Misuse of Exposed Data Has Been Reported – Yet
Personal details for 30,000 Medicaid recipients in Florida may have been exposed after a government employee fell victim to a phishing attack, officials in the state say.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The disclosure comes from the state’s Agency for Health Care Administration, which regulates healthcare facilities and is responsible for administering Medicaid.
A press release on the regulator’s website is undated, but the Associated Press reported it was posted Friday evening.
The exposed information may have included full names, Medicaid identification numbers, birthdates, Social Security numbers and addresses. Also possibly exposed were the medical conditions of enrollees.
Phishing attacks are one of the most pedestrian methods for stealing information, but remain still highly effective. The attacks often get executed via email, and try to trick a victim into following links to malicious sites.
One of the most common ruses is warning people of an issue with their login credentials for a service, then leading them to a lookalike but false domain that collects their authentication credentials. Criminals can use these credentials authenticate themselves to legitimate sites in the victim’s name.
Despite improved warnings from web browsers when it detects sites that lack proper security certificates, as well as improved detection of phishing sites in general by security defenses, phishing attacks continue to snare many individuals.
“Large-scale medical hacks are horrible in themselves, but sometimes it’s the ease of the hacks that’s scary,” writes Troels Oerting, group CISO for Barclays Bank, on Twitter.
Large-scale medical hacks are horrible in themselves, but sometimes it’s the ease of the hacks that’s scary: Phishing attack exposes data for 30,000 Medicaid recipients in Florida. #dataprotection https://t.co/1aBdZTBLtY
— Troels Oerting (@TroelsOerting) January 7, 2018
Most Affected: 1,800 People
The Agency for Health Care Administration writes that it learned of the phishing attack on Nov. 20, 2017, five days after it occurred.
It then reported the incident to Florida’s inspector general, which is continuing to investigate if residents’ protected health information was affected. The phished employee’s login credentials were changed prior to the inspector general’s review, state officials say.
The agency believes that personal information for up to 30,000 individuals was partially or fully exposed. It has confirmed that about six percent of victims – or 1,800 people – had their Medicaid ID or Social Security numbers potentially accessed.
As is customary with such incidents, the agency is offering victims a one-year membership with Experian’s identity theft monitoring service. It has also set up a hotline for victims, which is 1-844-749-8327.
Billion-Dollar Medical Fraud
The agency says there are no indications that exposed information may have been misused. But often with data breaches, fraudsters capture so much information that it is impossible to immediately convert it all to illegal gain.
Medicaid is one of the largest U.S. government programs and provides healthcare benefits to tens of millions of low-income people. The federal government has waged a years-long battle to reduce billing-related fraud, which costs billions of dollars annually.
Last July, the Department of Justice charged 412 people for schemes that resulted in $1.3 billion in fraudulent billings. Such scams typically get executed via corrupt medical providers, who submit false invoices to the government, the Justice Department says.
Billing fraud relies on submitting false claims using personal details and information of those enrolled in government medical programs such as Medicaid, Medicare and TRICARE. The billed procedures were either unnecessary or never performed.
“In many cases, patient recruiters, beneficiaries and other co-conspirators were allegedly paid cash kickbacks in return for supplying beneficiary information to providers,” the Justice Department says in a news release.
The U.S. Department of Health and Human Services warns people to keep abreast of provider names on healthcare bills and report suspicious activity. It also advises people to “guard your Medicare and Social Security numbers” and to “treat them like you would your credit cards.”
While such advice remains timely and pertinent, it alone cannot protect consumers. As breaches of data aggregators such as Equifax have shown, service providers who collect – and sometimes lose – people’s personal information also continue to pose a clear and present danger to consumers’ privacy and vulnerability to identity theft schemes (see Equifax: Breach Exposed Data of 143 Million US Consumers).