Last month, two more Florida healthcare companies joined the growing list of companies that reported cases of hacking or unauthorized access to patients’ personal data.
A recent report to the Department of Health and Human Services revealed that information on more than 4,000 patients in Derm Care Management and Apollo Healthcare Supply was exposed in two separate violations.
They will join 33 other Florida healthcare companies that have been reporting data breaches to government agencies since July 2023, the federal report shows. The violation could potentially reveal personal data from more than 6.7 million Florida patients.
That list includes Tampa General Hospital, which agreed to pay $6.7 million to resolve a class action lawsuit brought by some of the 2.1 million patients whose data could have been published in the 2023 hack earlier this year.
Patient information is usually sold on the dark web and is used for identity theft. However, cybercriminals have also been stolen directly from healthcare companies, including $3.6 million stolen from a nonprofit that operates behavioral health services in the Orlando area on behalf of the state.
The funds were obtained from a Central Florida Care Health System bank account in October 2023 after employees cleared their computer caches.
According to a report from the Orange County Sheriff’s Office, she later searched the bank’s name on Google and entered the group’s password information on a website that was found to be a scam.
The cybercriminals used the information to access the bank’s actual website and stole $3.6 million through bank transfers, the report says. Another unsuccessful attempt was made to wire $1.5 million.
In addition to local law enforcement, theft was investigated by the Secret Service, said Maria Bledsoe, the CEO of Care for Central Florida. A Texas woman is being charged with money laundering in a case related to theft.
“Of course, that’s a shock,” Bledsoe said. “These individuals are very knowledgeable and creative.”
Central Florida Care contracts with the Florida Department of Children and Families to provide substance abuse and mental health services to Brevard, Orange, Osceola and Seminole counties.
The nonprofit could recover $1.9 million from the insurance contract, and theft did not affect its services, Bledsoe said.
To prevent another online theft, the group switched banks and added an authentication process when accessing online banking services. They’re also strengthening employee training and conducting spot checks to see if employees are falling into phishing emails, Bledsoe said.
Follow Tampa Bay’s top headlines
Subscribe to our free Daystarter newsletter
We provide you with the latest news and information you need to know every morning.
You’re all signed up!
Want more free weekly newsletters in your inbox? Let’s get started.
Check out all options
Floridanomic Health Service Providers are not the only targets for hackers.
Unauthorized users gained access to South Florida’s thriving Mind Mind computer servers in August 2023 and obtained internal files, the group reported. We provide mental health services in Miami-Dade and Monroe counties.
The violation may have exposed 225,000 patients personal information, including names, Social Security numbers, date of birth and other financial, medical and medical insurance details, according to a class action lawsuit filed by victims of Miami-Dade County Circuit Court.
The prosperous minded official declined to comment on the story, citing the pending lawsuit.
The Florida Department of Health was also the victim of a hacker who last year posted more than 20,000 files on the dark web detailing HIV test results, detailed doctor notes, vaccinations and virus testing records.
Healthcare data could become a potential gold mine for hackers, said Hossain Sharier, assistant director and professor at the University of West Florida Cybersecurity Center.
In addition to personal information, data breaches often reveal health insurance and patient health details. In many cases, credit cards and other financial information are also present in the files for out-of-pocket payments, he said.
![Hossain Sharial, Associate Director and Professor at the Center for Cybersecurity at the University of West Florida](data:image/svg+xml,%3Csvg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 620 932"/%3E "Hossain Sharial, Associate Director and Professor at the Center for Cybersecurity at the University of West Florida")
Healthcare companies typically lag behind companies in the military or financial sector when it comes to investing in infrastructure that protects data, Shahriar said. He hears about health companies that still use vulnerable old operating systems.
He recommends that healthcare companies invest more to protect patient data, and that many violations may be from employees who have fallen into phishing emails, but may contain viruses and other malware, although they may appear to be from their own company.
“What happens in that healthcare industry is a large part of their focus and attention, and even their budget allocations are primarily serving patients,” Sharier said. “You should trust me, trust me, say, $10,000.
A Tampa official said defense against hackers prevented them from encrypting their data while their systems were being compromised.
Hackers could encrypt files would have significantly disrupted the hospital’s ability to provide care to patients, spokesman Amanda Bavis said in an email.
“TGH considers health, safety and privacy of our patients and team members as our number one priority,” says Bevis. “Hospitals are continuously updating and hardening systems that help prevent such events from occurring, implementing additional defensive tools and increased surveillance.”
