One employee fell for a phishing email. As a result, thousands of Florida Medicaid recipients might have had their private information exposed.
Florida’s Agency for Health Care Administration revealed the following details on their website:
- The Agency employee fell victim to the malicious phishing email on November 15, 2017, and the Agency learned of the event 5 days later.
- The Agency notified the Inspector General (IG) and, while the IG review is ongoing, the Agency received preliminary findings on January 2.
- Prior to the IG review, the Agency employee changed their login credentials to stop inappropriate access.
- Information accessed could include enrollees’ full names, Medicaid ID numbers, dates of birth, address, diagnoses, medical conditions or Social Security numbers. The Agency believes only approximately 6% of impacted recipients could be confirmed as having their Medicaid ID or social security numbers potentially accessed.
- While the Agency doesn’t believe information has been misused, they are offering a free 1-year identity monitoring membership to those affected.
- The Agency is initiating new and ongoing security training for all employees.
Preventing the Phishing Risk
The Agency took the most important step in response to this incident: initiating new security awareness training for employees. Employees make the difference between success or failure when it comes to phishing.
Here are a few tips to help your organization protect against a phishing scam:
- Can your employees identify a phishing or spear-phishing email? Create a library of phishing email samples, and use these samples in your education.
- Match your samples and awareness training to employee role. With both phishing and spear-phishing scams, your finance team could be targeted with a request for account information, while your CEO might receive a scam email masquerading as a legal subpoena.
- Information is often more impactful when it comes from an employee’s direct manager. Push information and education to first-line managers to equip them to have the right conversations with their teams.
- Ensure that all employees feel comfortable reporting an incident if they are duped. Regularly share the protocols for reporting a phishing scam or other suspicious behavior.
- Run periodic phishing simulations to test employee readiness. There are many simulation sources – some of them free – to help you get started.
While you strengthen employee awareness, consider augmenting your online monitoring, as well. Network and file activity monitoring can help you prevent unauthorized access and data leaks. Click below to learn more about Teramind.