City of Philadelphia skyline

The City of Philadelphia is investigating a data breach after attackers “may have gained access” to City email accounts containing personal and protected health information five months ago, in May.

While officials discovered the incident on May 24 following suspicious activity in the City’s email environment, the investigation found that the threat actors may have accessed emails in the compromised email accounts for at least two months after the City became aware of the incident.

“However, to date, the investigation determined that between May 26, 2023 and July 28, 2023, an unauthorized actor may have gained access to certain City email accounts and certain information contained therein,” the breach notice says.

“Also, on August 22, 2023, we became aware that the at-issue email accounts include email accounts that may contain protected health information.”

While the investigation and a manual review of the affected email accounts are still ongoing, the City revealed that the types of information exposed for impacted individuals include a combination of:

  • demographic information, such as name, address, date of birth,
  • social security number, and other contact information; 
  • medical information, such as diagnosis and other treatment-related information; 
  • and limited financial information, such as claims information

“In an abundance of caution, we are conducting a comprehensive, programmatic and manual review of the potentially impacted email accounts to determine whether personal information or protected health information was potentially affected,” the notice says.

“If so, the City will work to confirm the identities and contact information for potentially impacted individuals and provide notice via written letter.”

City officials also urged individuals who may have been affected to stay vigilant against financial fraud attempts and potential incidents of identity theft. 

They advised monitoring credit reports and account statements closely, enabling individuals to promptly inform their insurance company, healthcare provider, or bank about any suspicious activity.

City officials are yet to provide details on how the attackers breached the City’s email accounts and the reasons behind the delay in disclosing the incident for five months.

As reported by The Philadelphia Inquirer, the City’s Department of Behavioral Health and Intellectual Disability Services (DBHIDS) also disclosed a HIPAA breach in June 2020 after the personal health information of individuals it served was compromised following a March phishing attack.

breach notice revealed that the email accounts of DBHIDS and Community Behavioral Health employees were hacked in the phishing attack and were accessed by the attackers between March 31 and November 15, 2020.

Source: www.bleepingcomputer.com