Florida Healthy Kids website breached; vendor blamed for not patching
What’s that feeling when you learn your web hosting vendor for the past 7 years had unpatched vulnerabilities that permitted thousands of individuals’ personal information to be accessed without authorization? Nausea? Disgust? Something else?
Florida Healthy Kids Corporation posted a notice on their site about an incident that they attribute to Jelly Bean Communications Design. From November 2013 until December 9, 2020 when the vendor discovered that the site had been hacked, an as yet unspecified number of applicants and enrollees had their personal information at risk. The types of information that may have been exposed include:
- Full Name and Date of Birth
- Email Address and Telephone Number
- Physical Address and Mailing Address, if different
- Social Security Number
- Financial Information, to include wages, alimony, child support, royalties, other income, and tax deductions Family relationships of those individuals included on the Florida KidCare Application (i.e. mother of child, sister/brother of applicant, etc.)
- Secondary Insurance Information
Florida Healthy Kids Corp. notes that the expert they brought in to investigate the breach found that the vendor had “failed to apply security patches to its software, thereby exposing the website to vulnerabilities that were ultimately exploited by the hackers.”
For their part, it sounds like the hackers changed some of the street addresses in some of the Florida KidCare applications were altered by the hackers.
You can read FHKC FAQ on the incident on their site.
Update of Feb. 12: this was reported to HHS as impacting 3.5 million members