The City of Philadelphia has revealed a significant data breach, acknowledging that attackers may have gained access to City email accounts holding personal and protected health information five months earlier, in May. The breach was initially discovered on May 24 when suspicious activity within the City’s email system was noticed. However, a subsequent investigation has determined that unauthorized actors may have continued to access these email accounts between May 26 and July 28. On August 22, the City became aware that some of the affected accounts contained protected health information.
Furthermore, the compromised data included various types of personal information, such as names, addresses, dates of birth, social security numbers, contact information, medical data including diagnoses and treatment-related information, and limited financial information like claims data. A comprehensive review is underway to identify potentially impacted individuals. The City plans to confirm their identities and contact information and notify them via written letters.
To mitigate potential fallout from the breach, city officials are advising individuals who may have been affected to remain vigilant against financial fraud attempts and possible identity theft. They are encouraged to closely monitor their credit reports and account statements. The investigation into the breach and a manual review of affected email accounts are ongoing. As of now, the City has not provided details about how the attackers breached the email accounts or why there was a delay of five months in disclosing the incident.
Additionally, The Philadelphia Inquirer reported that the City’s Department of Behavioral Health and Intellectual Disability Services (DBHIDS) experienced a HIPAA breach in June 2020 due to a phishing attack. During that incident, the email accounts of DBHIDS and Community Behavioral Health employees were hacked and accessed by attackers between March 31 and November 15, 2020.