It has been discovered by the Tallahassee, FL-based Medicaid health plan, Florida Healthy Kids Corporation, that its web hosting provider failed to address vulnerabilities which were targeted by hackers to obtain access to its web portal and the protected health information of those applying for membership since 2013.
Florida Healthy Kids had an agreement with Jelly Bean Communications Design, LLC to arrange the hosting of its website; a website that incorporated an online application system for gathering data about individuals who were seeking Florida KidCare benefits or renewing their health or dental coverage.
On December 9, 2020, Jelly Bean Communications contacted Florida Healthy Kids to make them aware that unauthorized actors had obtained access to the website and were interfering with the addresses of thousands of individuals who had begun the membership process. Florida Healthy Kids hired a cybersecurity specialist to conduct an investigation to ascertain the extent of the breach.
Florida Healthy Kids temporarily closed its website until the breach was reviewed in order to prevent any additional unauthorized access. The outcome of the investigation revealed that there were several unaddressed flaws between November 2013 and December 2020 on the hosted website platform and databases of the Florida KidCare application. These weaknesses were targeted by hackers in order to infiltrate the website.
While the investigation has shown that applicant addresses had been interfered with, -. No evidence of data theft was found; however, the possibility that data theft took place could not be 100% eliminated.
The range of data of information that was impacted in the breach included names, dates of birth, emails, telephone contact info, physical and mailing addresses, Social Security data, financial details, family relationships of people listed in the application, and secondary insurance data.
The Florida KidCare online application platform is still not back online as the company is working to identify a new web hosting provider.
Those who were impacted by the breach have now been notified. The notifications started to be sent on January 27, 2020 and included instruction to implement steps such as configuring fraud alerts and place security freezes on accounts. It remains unknown how many individuals have been impacted in the breach.