Data Breach of 30K Florida Medicaid Recipients Accessed Via Phishing Email
One employee fell for a phishing email. As a result, thousands of Florida Medicaid recipients might have had their private information exposed.
Florida’s Agency for Health Care Administration revealed the following details on their website:
- The Agency employee fell victim to the malicious phishing email on November 15, 2017, and the Agency learned of the event 5 days later.
- The Agency notified the Inspector General (IG) and, while the IG review is ongoing, the Agency received preliminary findings on January 2.
- Prior to the IG review, the Agency employee changed their login credentials to stop inappropriate access.
- Information accessed could include enrollees’ full names, Medicaid ID numbers, dates of birth, address, diagnoses, medical conditions or Social Security numbers. The Agency believes only approximately 6% of impacted recipients could be confirmed as having their Medicaid ID or social security numbers potentially accessed.
- While the Agency doesn’t believe information has been misused, they are offering a free 1-year identity monitoring membership to those affected.
- The Agency is initiating new and ongoing security training for all employees.
Top Posts in Data Security
The Agency took the most important step in response to this incident: initiating new security awareness training for employees. Employees make the difference between success or failure when it comes to phishing.
Here are a few tips to help your organization protect against a phishing scam:
- Can your employees identify a phishing or spear-phishing email? Create a library of phishing email samples, and use these samples in your education.
- Match your samples and awareness training to employee role. With both phishing and spear-phishing scams, your finance team could be targeted with a request for account information, while your CEO might receive a scam email masquerading as a legal subpoena.
- Information is often more impactful when it comes from an employee’s direct manager. Push information and education to first-line managers to equip them to have the right conversations with their teams.
- Ensure that all employees feel comfortable reporting an incident if they are duped. Regularly share the protocols for reporting a phishing scam or other suspicious behavior.
- Run periodic phishing simulations to test employee readiness. There are many simulation sources – some of them free – to help you get started.