The City of Philadelphia has disclosed about data breach that occurred in May 2023, impacting the personal information of 35,881 individuals.
This revelation came through a filing with the Office of Maine’s Attorney General. On July 8, 2024, the City of Philadelphia sent out written notifications to those potentially affected, including approximately 15 residents of Maine.
The City of Philadelphia clarifies that by providing this notice, it does not waive any rights or defenses concerning the applicability of Maine law, the Maine data event notification statute, or personal jurisdiction.
City of Philadelphia Data Breach: What Exactly Happened?
On May 24, 2023, the City detected suspicious activity within its email environment. An investigation was immediately launched with the help of third-party cybersecurity experts to understand the extent and nature of the breach. The investigation revealed that between May 26, 2023, and July 28, 2023, an unauthorized individual gained access to specific City email accounts.
On August 22, 2023, the City learned that these compromised email accounts potentially contained protected health information (PHI). Although the investigation could not conclusively determine whether any information was accessed or acquired, the City opted to conduct a comprehensive review to identify what information was potentially exposed and who was affected.
To comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the City notified the U.S. Department of Health and Human Services (HHS) on October 20, 2023, posted substitute notices on its website, and informed the media through the Philadelphia Inquirer.
Once the data review concluded, the City validated the findings and sought to obtain missing address information for those potentially affected. Subsequently, on May 16, 2024, the City mailed written notices to individuals whose PHI might have been compromised (excluding Maine residents), provided additional notice to HHS, updated its website, and informed the Philadelphia Inquirer once more.
By June 12, 2024, the City had completed the validation of the review results and had located the necessary address information. The personal information related to Maine residents that was potentially accessible during the event included names, addresses, Social Security numbers, and financial account information.
Steps Taken and Future Actions
Upon learning of the data breach, the City of Philadelphia acted swiftly to investigate and respond to the event. They assessed the security of their network and email system and identified the individuals who might be affected. The City also notified federal law enforcement and is working to implement additional safeguards and provide employee training to prevent future incidents. Affected individuals, including Maine residents, were offered twelve months of credit monitoring services at no cost.
The City has also provided guidance to potentially impacted individuals on protecting against identity theft and fraud. This includes advising them to report any suspected incidents to their bank, credit card company, or other relevant institutions.
The City has also provided instructions on how to place fraud alerts and credit freezes on credit files, the contact details for national consumer reporting agencies, information on obtaining free credit reports, and reminders to stay vigilant by reviewing account statements and monitoring credit reports.
Affected individuals are encouraged to contact the Federal Trade Commission, their state Attorney General, and law enforcement to report any attempts or actual instances of identity theft and fraud.