As an update to the Florida Department of Health ransomware attack reported yesterday:
On July 2, threat actors known as Ransom Hub had claimed to have exfiltrated 100 GB of files from the state agency. They threatened to leak it if the state did not pay their demands, but Florida law prohibits state agencies from paying ransom.
DataBreaches cannot confirm whether Ransom Hub actually leaked 100 GB of files, but they did leak a lot of data on their leak site, and a lot of it was personally identifiable information (PII) or protected health information (PHI).
The data in the tranche did not seem organized in any recognizable way, but there was a mix of internal files a state agency would store as well as specific patient-related files. Hopefully, the state has combed through the data tranche carefully to figure out what state financial accounts or other accounts now have been leaked and need to be canceled or changed.
When it comes to individuals, DataBreaches noted:
- Service-related files such as logs of chest x-ray scheduling logs for 2023 and the first half of 2024 (up to mid-June 2024). The 2023 and 2024 logs contained thousands of entries with first and last name, date of birth, date of appointment, location of appointment (which facility), and date that the results were received;
- Workers Compensation records with detailed information on employees, their accidents and injuries, and their treatment history and notes. As an indication of the depth of the details, one person’s scanned file from 2004 was 63 pages and included all demographic information such as name, date of birth, address, phone number, full Social Security number, marital status, physician name, health insurance information, etc.;
- Scanned images of passports;
- Prescriptions written for named patients
- Completed applications for Florida’s Healthy Start Program for kids with parents’ demographic information, including Social Security Numbers and expected date of delivery;
- Mammography screening results for named patients with their medical record number, date of birth, date of screening, location of screening, and findings. DataBreaches also noted corresponding completed health insurance claim forms;
- Completed family planning forms about provider encounters, including medical record number, name, postal and email addresses, phone number, date of birth, net income, type of birth control in use, health insurance carrier, and policy number;
- Referrals for named patients for dental services;
- Miscellaneous correspondence to individuals concerning personal information;
and more.
DataBreaches notes that the data breach review will likely be time-consuming because many of the scanned files are images of handwritten notes and forms. They will need to be reviewed manually to determine who needs to be notified and what types of information were involved for the individual. DataBreaches has not attempted to verify that all of the data is real but from superficial inspection and using Google to try to locate people with names and relative ages matching information in the sample, this site could find people with names that matched those found in files this site viewed, and where pictures were available, the individuals appeared to be of an age corresponding to year of birth or near to that.
See News4Jax for an explanation of how the attack has affected people’s lives.