An employee at the Agency for Health Care Administration was a victim of a phishing attack, which led to the breach.
An employee at the Agency for Health Care Administration was a victim of a phishing attack, which led to the breach.

A phishing attack on an employee at Florida's Agency for Health Care Administration resulted in the exposure of sensitive information on 30,000 Medicaid patients, the agency said in a Saturday notification.

The agency discovered on November 20 that an employee had been the victim of a November 15 phishing attack and “promptly reported the event to the Inspector General, who initiated a review to identify if any protected health information was potentially accessed.”

The IG's initial review indicated that the names, Medicaid ID numbers, birth dates, diagnoses, Social Security numbers, addresses, and medical conditions of up to 30,000 recipients “were accessed in part or full.”

The notice said the probe so far has confirmed that Medicaid IDs or social security numbers of only six percent of those persons were potentially accessed and stressed that the investigation was ongoing.

“At this time, the Agency has no reason to believe individuals' information has been misused,” the notice said.

The employee who fell victim to the phishing attack changed login credentials before the IG conducted its review and the agency has established a hotline for those affected. It also has taken steps to protect personal data and prevent future such incidents. In addition to reviewing its IT data to get to the circumstances surrounding the breach, the agency immediately acted to remediate the breach, continues to investigate it, instituted “new and ongoing security training to ensure proper security protocol for employees and is considering additional security protections.

“As the human factor is by far the weakest link in the IT security chain, companies will benefit from automated technologies that help mitigate threats,” said Ebba Blitz, CEO of AlertSec.