City of Philadelphia Investigating Data Breach

The City of Philadelphia is currently conducting an investigation into a data breach that occurred in May. Attackers were able to gain access to City email accounts that contained personal and protected health information. The breach was discovered on May 24 when suspicious activity was detected in the City’s email environment. However, it was later determined that the threat actors may have had access to the compromised email accounts for at least two months after the incident was discovered.

The breach notice, released by the City, states that between May 26, 2023, and July 28, 2023, an unauthorized actor may have gained access to certain City email accounts and the information contained within them. Additionally, on August 22, 2023, it was discovered that the affected email accounts may also contain protected health information.

The investigation is still ongoing, and a manual review of the impacted email accounts is currently taking place. The City has identified the types of information that may have been exposed, which include demographic information (such as name, address, and date of birth), social security numbers, other contact information, medical information (including diagnosis and treatment-related details), and limited financial information (such as claims information).

As a precautionary measure, the City is conducting a comprehensive review to determine the extent of the potential impact on personal and protected health information. If any individuals are found to be affected, the City will confirm their identities and contact information and provide them with written notification.

In light of the breach, City officials are advising individuals to remain vigilant against financial fraud attempts and potential incidents of identity theft. They recommend closely monitoring credit reports and account statements and promptly reporting any suspicious activity to insurance companies, healthcare providers, or banks.

At this time, City officials have not disclosed the details of how the attackers breached the City’s email accounts or the reasons for the delay in disclosing the incident for five months.

According to The Philadelphia Inquirer, the City’s Department of Behavioral Health and Intellectual Disability Services (DBHIDS) experienced a HIPAA breach in June 2020, where personal health information was compromised due to a phishing attack in March of that year. The breach affected the email accounts of DBHIDS and Community Behavioral Health employees, which were accessed by the attackers between March 31 and November 15, 2020.