Philly data breach hit other city departments, besides health - WHYY
Philly data breach that impacted health employee emails also hit other departments
ByEmily ScottMay 27, 2021
Philadelphia’s Health Center #1 at Broad and Lombard streets. (Kimberly Paynter/WHYY)
Philadelphia’s Health Center #1 at Broad and Lombard streets. (Kimberly Paynter/WHYY)
The City of Philadelphia has released an update on an investigation into a data breach that left some employee email accounts accessible to unauthorized individuals.
The incident, initially identified in March 2020, was the result of an employee’s email account that was exposed due to a phishing attack. The breach impacted people receiving services from the Department of Behavioral Health and Intellectual disAbility Services, as well as Community Behavioral Health, a nonprofit contracted by the city to administer the behavioral health Medicaid program, HealthChoices.
The city’s investigation has revealed that the breach did impact other city employee emails in departments outside of DBHIDS, and that DBHIDS and CBH accounts were accessed without authorization between March 11 and Nov. 15, 2020. The investigation also showed that other city department emails were accessed from March 2020 to January 2021.
Related Content
The Rocky statue is outfitted with a mock surgical face mask
HEALTH
Pennsylvania to lift face mask mandate by the end of June
Pennsylvania's mask mandate will be lifted on June 28 or when 70% of adult residents are fully vaccinated — whichever comes first.
7 days ago
It appears the hack is connected to a series of attacks targeting health care and social service organizations and agencies during the pandemic. The city has yet to confirm whether emails and/or confidential email attachments were viewed due to the breach. The accounts affected had access to demographic and health-related information for people receiving services through DBHIDS and CBH, including names, dates of birth, addresses, account and medical record numbers, health insurance information, clinical information such as diagnosis names, and description of services the individual was receiving, and copies of birth certificates, driver’s licenses, and Social Security cards.
The city is reviewing what documents were accessible for other departments impacted by the incident, but investigators believe it is also personally identifiable information.
DBHIDS has been informing the affected individuals since last August, offering them credit and identity monitoring services free of charge. After CBH concluded its investigation in March, the organization also sent letters to people who were potentially impacted.
Related Content
Outreach worker Kenneth Harris engages with a client outside Somerset Station. (Emma Lee/WHYY)
PLANPHILLYCOMMUNITY
SEPTA is testing a new way to help people struggling with addiction on the system
SEPTA is trying a new approach to keeping its stations clean and safe, while helping people suffering from addiction who take shelter in the transit system.
1 week ago
Listen 4:33
The city is now in the process of contacting individuals impacted outside of DBHIDS and CBH, and is encouraging residents to regularly check their bank accounts, credit card statements, and monitor health insurance claims for suspicious activity.
Officials say they have made “significant security improvements” as a result of this specific hack, and a general increase of cyber threats on local governments. A fall 2020 cyber attack on Delaware County’s computer network resulted in the county paying $25,000 in ransom. In October 2019, a Philadelphia Inquirer report revealed that a public data tool built by the city’s Department of Public Health to track hepatitis infections exposed the health records and other private information for thousands of people receiving medical care in the city.
Philadelphia has expanded its monitoring of network activity and added new tools to increase email security, including multi-factor authentication on all city email accounts.
Anyone who receives services from DBHIDS can call 1-855-763-0063 for more information and to answer any questions. CBH members can call 1-833-664-2001. If you are not affiliated with DBHIDS or CBH but received notice of the data breach will receive a contact number if they have any other questions.
ByEmily ScottMay 27, 2021
Philadelphia’s Health Center #1 at Broad and Lombard streets. (Kimberly Paynter/WHYY)
Philadelphia’s Health Center #1 at Broad and Lombard streets. (Kimberly Paynter/WHYY)
The City of Philadelphia has released an update on an investigation into a data breach that left some employee email accounts accessible to unauthorized individuals.
The incident, initially identified in March 2020, was the result of an employee’s email account that was exposed due to a phishing attack. The breach impacted people receiving services from the Department of Behavioral Health and Intellectual disAbility Services, as well as Community Behavioral Health, a nonprofit contracted by the city to administer the behavioral health Medicaid program, HealthChoices.
The city’s investigation has revealed that the breach did impact other city employee emails in departments outside of DBHIDS, and that DBHIDS and CBH accounts were accessed without authorization between March 11 and Nov. 15, 2020. The investigation also showed that other city department emails were accessed from March 2020 to January 2021.
Related Content
The Rocky statue is outfitted with a mock surgical face mask
HEALTH
Pennsylvania to lift face mask mandate by the end of June
Pennsylvania's mask mandate will be lifted on June 28 or when 70% of adult residents are fully vaccinated — whichever comes first.
7 days ago
It appears the hack is connected to a series of attacks targeting health care and social service organizations and agencies during the pandemic. The city has yet to confirm whether emails and/or confidential email attachments were viewed due to the breach. The accounts affected had access to demographic and health-related information for people receiving services through DBHIDS and CBH, including names, dates of birth, addresses, account and medical record numbers, health insurance information, clinical information such as diagnosis names, and description of services the individual was receiving, and copies of birth certificates, driver’s licenses, and Social Security cards.
The city is reviewing what documents were accessible for other departments impacted by the incident, but investigators believe it is also personally identifiable information.
DBHIDS has been informing the affected individuals since last August, offering them credit and identity monitoring services free of charge. After CBH concluded its investigation in March, the organization also sent letters to people who were potentially impacted.
Related Content
Outreach worker Kenneth Harris engages with a client outside Somerset Station. (Emma Lee/WHYY)
PLANPHILLYCOMMUNITY
SEPTA is testing a new way to help people struggling with addiction on the system
SEPTA is trying a new approach to keeping its stations clean and safe, while helping people suffering from addiction who take shelter in the transit system.
1 week ago
Listen 4:33
The city is now in the process of contacting individuals impacted outside of DBHIDS and CBH, and is encouraging residents to regularly check their bank accounts, credit card statements, and monitor health insurance claims for suspicious activity.
Officials say they have made “significant security improvements” as a result of this specific hack, and a general increase of cyber threats on local governments. A fall 2020 cyber attack on Delaware County’s computer network resulted in the county paying $25,000 in ransom. In October 2019, a Philadelphia Inquirer report revealed that a public data tool built by the city’s Department of Public Health to track hepatitis infections exposed the health records and other private information for thousands of people receiving medical care in the city.
Philadelphia has expanded its monitoring of network activity and added new tools to increase email security, including multi-factor authentication on all city email accounts.
Anyone who receives services from DBHIDS can call 1-855-763-0063 for more information and to answer any questions. CBH members can call 1-833-664-2001. If you are not affiliated with DBHIDS or CBH but received notice of the data breach will receive a contact number if they have any other questions.