Phishing email may have exposed medical data for 30K Medicaid enrollees in Florida

Florida's Medicaid agency says information for 30,000 enrollees was potentially compromised in a November breach. (Image: Getty/juststock)

The Florida agency that oversees the state’s Medicaid program reported a data breach affecting 30,000 individuals after an employee was victimized by a phishing email.

The Florida Agency for Health Care Administration (AHCA) learned about the attack on Nov. 20 and reported the incident to the Inspector General, according to an announcement (PDF) issued by the agency.

Although the Inspector General’s investigation is still ongoing, preliminary findings indicate that names, Medicaid ID numbers, diagnoses, medical conditions and Social Security numbers were potentially compromised during the breach, which was traced back to a Nov. 15 phishing email.

RELATED: Unintended disclosure accounts for a big chunk of data breaches in 2017, and spear phishing is on the rise

“At this time, the Agency believes it is possible that the personal information of up to 30,000 individuals may have been partially or fully accessed,” the announcement read.  “Although the review is ongoing, the Agency believes that only approximately 6 percent of these individuals could be confirmed as having their Medicaid ID or social security numbers potentially accessed.”

AHCA says it has no reason to believe enrollee information was misused but has offered those affected a one-year membership to Experian’s IdentityWorks program. After reporting the incident, the affected employee changed their login credentials. The agency initiated new and ongoing security training and conducted a full review of IT data.

According to a recent report by Beazley Group, more than 40% of healthcare data breaches in the first three quarters of 2017 were the result of unintended disclosures and spear phishing emerged as a notable trend.