The City of Philadelphia revealed that a May 2024 disclosed in October impacted more than 35,000 individuals’ personal and protected health information.
The investigation found that attackers gained access to multiple email accounts between May 26, 2023, and July 28, 2023.
When it disclosed the data breach in October, the City also revealed the types of information exposed for impacted individuals, which include a combination of:
- demographic information, such as name, address, date of birth,
- social security number, and other contact information;
- medical information, such as diagnosis and other treatment-related information;
- and limited financial information, such as claims information.
The city says the data breach affected 35,881 individuals in a filing with the Office of Maine’s Attorney General.
Affected individuals whose personal data (including name, address, Social Security number, and financial account information) was exposed in the breach were notified on Monday, July 8.
The City also mailed data breach notifications on May 16 to those whose protected health information was exposed in the breach.
“In an abundance of caution, we conducted a thorough and in-depth review to determine what information was potentially accessible and to whom such information relates,” breach notification letters sent to affected people read.
“Once complete, we also worked to validate the results and locate missing address information for those potentially affected. We recently completed this process, and then worked as quickly as possible to provide notice.”
The City has informed federal law enforcement of the breach, is improving safeguards and training for its employees, and offers affected people free credit monitoring services for 12 months.
They will also receive guidance on better protecting themselves against identity theft and fraud, including advice on reporting any suspected incidents to their bank, credit card company, or other relevant institution.
City officials have yet to explain how the attackers breached the City’s email accounts and why they delayed the disclosure for five months.
The City’s Department of Behavioral Health and Intellectual Disability Services (DBHIDS) also disclosed a HIPAA breach four years ago, in June 2020, after the personal health information of individuals it served was compromised in a phishing attack.
A breach notice published on the organization’s website revealed at the time that the attackers had accessed the hacked email accounts of DBHIDS and Community Behavioral Health employees between March 31 and November 15, 2020.