Phishing Exposed Medicaid Details for 30,000 FloridiansNo Misuse of Exposed Data Has Been Reported - Yet
Personal details for 30,000 Medicaid recipients in Florida may have been exposed after a government employee fell victim to a phishing attack, officials in the state say.
The disclosure comes from the state's Agency for Health Care Administration, which regulates healthcare facilities and is responsible for administering Medicaid.
A press release on the regulator's website is undated, but the Associated Press reported it was posted Friday evening.
The exposed information may have included full names, Medicaid identification numbers, birthdates, Social Security numbers and addresses. Also possibly exposed were the medical conditions of enrollees.
Phishing attacks are one of the most pedestrian methods for stealing information, but they remain still highly effective. The attacks, which get executed via email, often try to trick a victim into following links to malicious sites.
One of the most common ruses is warning people of an issue with their login credentials for a service, then leading them to a look-alike but false domain that collects their authentication credentials. Criminals can use these credentials to authenticate themselves to legitimate sites in the victim's name.
Despite improved warnings from web browsers when they detect sites that lack proper security certificates, as well as improved detection of phishing sites in general by security defenses, phishing attacks continue to snare many individuals.
"Large-scale medical hacks are horrible in themselves, but sometimes it's the ease of the hacks that's scary," writes Troels Oerting, group CISO for Barclays Bank, on Twitter.
Large-scale medical hacks are horrible in themselves, but sometimes it's the ease of the hacks that's scary: Phishing attack exposes data for 30,000 Medicaid recipients in Florida. #dataprotection https://t.co/1aBdZTBLtY— Troels Oerting (@TroelsOerting) January 7, 2018
ID Numbers Exposed
The Agency for Health Care Administration writes that it learned of the phishing attack on Nov. 20, 2017, five days after it occurred.
It then reported the incident to Florida's inspector general, which is continuing to investigate if residents' protected health information was affected. The phished employee's login credentials were changed prior to the inspector general's review, state officials say.
The agency believes that personal information for up to 30,000 individuals was partially or fully exposed. It has confirmed that about 6 percent of victims - or 1,800 - had their Medicaid ID or Social Security numbers potentially accessed.
As is customary with such incidents, the agency is offering victims a one-year membership with an identity theft monitoring service, in this case, from Experian. It has also set up a hotline for victims, which is 1-844-749-8327.
Billion-Dollar Medical Fraud
The agency says there are no indications that exposed information may have been misused. But often with data breaches, fraudsters capture so much information that it is impossible to immediately convert it all to illegal gain.
Medicaid, one of the largest U.S. government programs, provides healthcare benefits to tens of millions of low-income people. The federal government has waged a years-long battle to reduce billing-related fraud, which costs billions of dollars annually.
Last July, the Department of Justice charged 412 people for schemes that resulted in $1.3 billion in fraudulent billings. Such scams typically get executed via corrupt medical providers, who submit false invoices to the government, the Justice Department says. "In many cases, patient recruiters, beneficiaries and other co-conspirators were allegedly paid cash kickbacks in return for supplying beneficiary information to providers," the Justice Department said.
The U.S. Department of Health and Human Services warns consumers to keep abreast of provider names on healthcare bills and report suspicious activity. It also advises them to "guard your Medicare and Social Security numbers" and to "treat them like you would your credit cards."
While such advice remains timely and pertinent, it alone cannot protect consumers. As breaches of data aggregators such as Equifax have shown, service providers who collect - and sometimes lose - personal information also continue to pose a clear and present danger to consumers' privacy and vulnerability to identity theft schemes (see Equifax: Breach Exposed Data of 143 Million US Consumers).