The City of Philadelphia has issued a notice on October 20 2023, reporting a recent security breach that could affect the personal data of several individuals.
The breach was first detected on May 24 2023, when suspicious activities were identified within the City’s email system. To investigate the matter, the City engaged third-party cybersecurity experts, who determined that unauthorized access to certain email accounts occurred between May 26 and July 28 2023. Significantly, on August 22 2023, the City also discovered these breached email accounts contained protected health information (PHI).
A comprehensive review of the affected email accounts is currently underway to identify any potential breaches of personal information. The identified compromised data so far includes:
Demographic information, such as name, address, date of birth
Medical records, such as diagnosis and other treatment-related information
Social Security numbers
Limited financial data, such as claims information
Once the identities of affected individuals are confirmed, they will receive notifications via written correspondence.
“City officials took far too long to disclose this breach to the public. Any damage the attackers planned on doing has likely been done already. According to Pennsylvania’s breach disclosure law, municipalities only have seven days to disclose a breach,” said Paul Bischoff, consumer privacy advocate at Comparitech.
“Victims are at risk of health benefits fraud, plus phishing and scam attempts that personalize their messages using personal data from the breach. They should monitor their hospital bills, credit reports and other accounts, and never click on links in unsolicited emails or text messages.”
Read more on healthcare breaches: Lazarus Group Targets Internet Infrastructure and Healthcare with ‘QuiteRAT’ Malware
To fortify security, the City has reportedly strengthened its information protection protocols, revised existing policies and provided additional training to its staff. The incident has also been reported to the US Department of Health and Human Services, with further notifications to other regulatory bodies as necessary.
“Data-centric security, exemplified by practices like tokenization and encryption, should be at the forefront of every organization’s security strategy,” explained Erfan Shadabi, cybersecurity expert at comforte AG. “Such security measures can render stolen data practically worthless to threat actors.”
Individuals who may be affected by this breach are encouraged to remain vigilant and closely monitor their accounts for any suspicious activity.
Resources are available for individuals to take proactive measures, including obtaining free credit reports, placing fraud alerts or implementing credit freezes on their credit files.