30,000 Florida Medicaid Patient’s Now Have One More Thing to Worry About

In early January 2017, the Florida Agency for Health Care Administration notified approximately 30,000 Medicaid recipients their medical records and personal records had been accessed. This happens all too often as we have read about frequently. The attack vector varies with each attack based on the environment, tools applicable to the OS and configuration, etc. In this specific instance, the attackers used a phishing campaign, which have grown in use and popularity. The user fell victim to a simple phishing email on November 15, 2017. This was rather unknown until the agency was notified on November 20, 2017 from the Inspector General from the state.

The spoils from the successful attack included a large amount of data and information the attackers were able to access. This included the partial and full data with the the enrollee’s full name, Medicaid ID numbers, birth dates, addresses, diagnoses, medical conditions, and SSN. This has provided nearly all the data needed to take over the enrollee’s identity.

There are a number of issues associated with this, which are disheartening. The Agency had no idea they had been successfully phished and compromised. Their logs, internet access, and other areas had not been reviewed to a sufficient level and/or all of the data from the data exfiltrating the data and medical records for approximately 30,000 enrollees had not been noted. This is a fair amount of data that was moved from the business. Also the employee did not report the phishing email(s) or they had clicked on the email.

This breach provides a number of teachable lessons for others. The InfoSec Engineer should have been monitoring the logs via some form of SIEM or app (e.g. Splunk) for odd/anomalous activity, e.g. a mass amount of data being forwarded in a very short amount of time. The vast amount of data involved would not have lent itself well to a manual review on a regular basis. The access time of the day should have also been noted for these. This amount of data involved should have been significant enough to be noticed on some level. Also there should have been some form of phishing training for the staff. This may have been beneficial to the business in that this may have been avoided.

Granted the Agency may have budgetary constraints. This is a common issue, especially as tax dollars are decreasing while costs are increasing. There are however free and low cost alternatives to a full service phishing vendor’s offering. There are also free or lower cost SIEMs available for implementation.

As we look forward, the Agency could have used machine learning techniques and algorithms to better review the logs and other activities for anomalies and patterns. This would also function to require less processing time.