3rd Party Risk Management , Breach Notification , Governance & Risk Management
Kids’ Health Insurer’s Website Vulnerable for 7 Years
Hackers Tampered With Some Data That Was ExposedAn organization that administers a children’s dental and health insurance program in Florida took down its online application platform after it discovered the company that hosted its website apparently failed to address vulnerabilities over a seven-year period, resulting in the exposure of personal data. Plus, hackers tampered with that data, Tallahassee, Florida-based Florida Healthy Kids Corp. says.
The organization says it was notified on Dec. 9, 2020, of a data breach experienced by Jelly Bean Communications Design, which was responsible for hosting the website.
See Also: Gartner Market Guide for DFIR Retainer Services
The personal information of several thousand insurance applicants was inappropriately accessed, the organization says, but it has no evidence that anyone’s personal information was removed from the system.
Longstanding Vulnerabilities
Independent cybersecurity experts hired to conduct a review of the incident identified “significant vulnerabilities in the hosted website platform and the databases that support the online Florida KidCare application,” the organization says.
“Florida Healthy Kids learned that its web hosting vendor had failed to apply security patches to its software, thereby exposing the website to vulnerabilities that were ultimately exploited by the hackers,” according to a statement from the organization.
The vulnerabilities spanned a seven-year period from November 2013 until December 2020. The organization temporarily shut down the website and databases in December 2020. “The Florida KidCare online application will remain down until it is restored by our new web hosting vendor,” the organization says in a statement.
Information that may have been exposed includes individuals’ full names, dates of birth, email addresses, phone numbers, physical addresses, Social Security numbers and certain financial information.
Florida Health Kids Corp. describes itself as a “nonprofit, public-private partnership created by the Florida legislature to expand access to affordable, child-centered health insurance.” The nonprofit administers Florida Healthy Kids, a comprehensive health and dental insurance program for Florida children from age 5 through 18.
The organization, and Jelly Bean Communications Design, did not immediately respond to an Information Security Media Group request for additional information about the incident.
Vendor Risk
Some smaller companies that provide services to healthcare sector organizations “can pose a significant security and privacy risk to their clients' data since they often are not equipped with security expertise,” says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
“Further, if they or their clients do not identify them as HIPAA business associates, they can be unaware of their obligations,” she notes. “For example, it appears that a reasonable security risk assessment - as required by HIPAA - would have uncovered the vulnerabilities leading to this [Florida] breach.”
If a healthcare organization determines that a business associate lacks adequate security measures, it should “either remediate the situation or find another vendor,” Borten says.
Similar Incidents
Unfortunately, data breaches that involve longstanding, unmitigated security issues are relatively common.
For example, in fall 2019, Asheville, North Carolina-based healthcare system Mission Health discovered that malicious code had resided on its e-commerce site for three years, sending consumers’ payment information to unauthorized individuals (see: Healthcare E-Commerce Site Breach Undetected for Years).
And Dominion National, an Arlington, Virginia-based vision and dental health plan administrator, revealed in June 2019 that it had only recently discovered a 9-year-old security incident involving unauthorized access to its computer servers.