Florida's Agency for Health Care Administration said hackers may have accessed the personal and confidential information of up to 30,000 Medicaid patients, including their medical records, conditions and diagnoses. The AHCA said on Friday (5 January) that one of its employees fell victim to a "malicious phishing email" on 15 November last year, resulting in the potential compromise of the sensitive data, the Associated Press reported.
The agency said it learned of the incident five days later on 20 November and notified the Inspector General who launched an investigation "to identify if any protected health information was potentially accessed."
According to preliminary findings from the ongoing investigation, Medicaid enrollees' full names, Medicaid ID numbers, dates of birth, addresses, Social Security numbers and medical conditions and diagnoses may have been partially or fully accessed in the breach.
The AHCA said no other agency systems or email accounts were involved in the phishing attack.
"Prior to the review, the employee changed their login credentials to stop inappropriate access," the agency said in a statement. "Although the review is ongoing, the agency believes that only approximately 6% of these individuals could be confirmed as having their Medicaid ID or social security numbers potentially accessed."
However, the agency said it currently has "no reason to believe" that the information has been misused. In an "abundance of caution", it is offering those affected by the breach a one-year membership in Experian's IdentityWorks program for free "to help individuals detect any possible misuse of this information". It has also provided Medicaid recipients with an agency hotline number to call.
"The agency takes this matter very seriously and have taken steps to protect personal information and the Agency took swift action to help prevent this type of event from happening again," the AHCA said. In addition to a full review of AHCA data to determine the circumstances of the breach, the agency has initiated "new and ongoing security training" for employees to ensure proper security protocol and measures.
The AHCA is currently notifying all potentially affected Medicaid enrollees and is "exploring additional security options to protect against further breaches".
IBTimes UK has reached out to the agency for further comment.