The cruelest crimes are against children who are powerless to fight back. Earlier this year, more than 3.5 million children were affected by a breach exposing their protected health information (PHI).
Largest Healthcare Data Breach of 2021 to Date
Florida Healthy Kids Corporation (FHKC) reported this breach to the Office for Civil Rights (OCR) on January 29, 2021. The personal information of millions who applied for coverage or were enrolled in Florida KidCare over seven years, between 2013 and 2020, was exposed after the health plan’s website was targeted in a cyberattack. Today it’s still the largest healthcare data breach so far this year, and one of the largest breaches ever reported.
Florida KidCare is a nonprofit that includes Medicaid, MediKids, Florida Healthy Kids, and the Children’s Medical Services program. FHKC provided an online application for families to apply for or renew health and dental coverage.
FKHC learned about the incident about a month earlier, in December 2020. Potentially exposed data included full names, birth dates, email and physical addresses, phone numbers, Social Security numbers, family relationships of the children included in the application, and secondary insurance information. Apparently the health plan’s website, maintained by Jelly Bean Communications Design, had significant security vulnerabilities that had not been patched.
Your Credit was Stolen Way Back When
Identity theft is much more costly and damaging to children than it is to adults, who at least have some track record of identity with banks and credit. Adults have a chance to recover and fight back with proof of their identity that pre-dates the breach. Children are not even participating in the economy and by the time they grow up, join the workforce and get health insurance, their identity may belong to someone else.
Medical identity theft is the fastest growing type of identity theft because it’s so profitable for criminals to sell on the black market. Minors’ personal information is the very most valuable because it provides a clean slate for criminals to start fresh and obtain credit or commit insurance fraud, then escape before being discovered. The crime remains underground until the minor turns 18 and starts to apply for credit, or later applies for a mortgage, only to learn their credit was ruined long before they were old enough to use it themselves.
Business Associate Due Diligence
The website provider, Jelly Bean Communications, was a HIPAA business associate and is separately liable for its actions. OCR is investigating this breach, as they do all breaches affecting 500 or more, and will discover more about what happened, and why, at both FHKC and Jelly Bean Communications. Although the reporting about this incident so far has focused on the website provider, the covered entity FHKC is not necessarily off the hook, depending on the facts.
FHKC, as the covered entity, is required to conduct due diligence with its business associates. Both covered entities and business associates are required to perform a HIPAA Risk Analysis and practice Risk Management. In the investigation, OCR will ask tough questions of both entities and they’ll need to provide their HIPAA policies, proof of Risk Analysis and Risk Management, and the business associate agreement between them.
If unsure whether you are doing enough to prevent a nightmare breach like this one, as a covered entity or a business associate, give The HIPAA E-Tool® a call.