Malware
Philadelphia Confirms Massive Cyberattack: Over 35,000 Victims in May 2023 Breach
The City of Philadelphia has revealed that a May 2023 data breach impacted over 35,000 individuals. The breach exposed sensitive data, including social security numbers and addresses. The city has notified those affected and is offering free credit monitoring services to mitigate the potential risks of identity theft.
Imagine receiving a letter in the mail, only to find out that your sensitive personal and medical information has been exposed in a data breach. That’s what happened to over 35,000 people in Philadelphia back in May 2024.
When did this happen, and what information was exposed?
The breach was discovered in October, but our investigation revealed that the attackers had gained access to multiple email accounts between May 26, 2023, and July 28, 2023. The types of information exposed include:
- Demographic information, such as name, address, date of birth,
- Social security number, and other contact information;
- Medical information, such as diagnosis and treatment-related information;
- And limited financial information, such as claims information.
According to a filing with the Office of Maine’s Attorney General, a total of 35,881 individuals were affected by the data breach.
How were people notified, and what is being done about it?
Those affected by the breach, whose personal data (including name, address, Social Security number, and financial account information) was exposed, were notified on Monday, July 8. The City also mailed data breach notifications on May 16 to those whose protected health information was exposed in the breach.
In their breach notification letters, the City stated:
“In an abundance of caution, we conducted a thorough and in-depth review to determine what information was potentially accessible and to whom such information relates. Once complete, we also worked to validate the results and locate missing address information for those potentially affected. We recently completed this process, and then worked as quickly as possible to provide notice.”
Moreover, the City has informed federal law enforcement of the breach, is working to improve safeguards, and is providing training for its employees. Affected individuals are being offered free credit monitoring services for 12 months and guidance on better protecting themselves against identity theft and fraud.
Why did it take so long to disclose the breach, and has this happened before?
City officials have yet to explain how the attackers breached the City’s email accounts and why they delayed the disclosure for five months. This isn’t the first time something like this has happened in Philadelphia. The City’s Department of Behavioral Health and Intellectual Disability Services (DBHIDS) also disclosed a HIPAA breach four years ago, in June 2020, after the personal health information of individuals it served was compromised in a phishing attack.
At the time, a breach notice published on the organization’s website revealed that attackers had accessed the hacked email accounts of DBHIDS and Community Behavioral Health employees between March 31 and November 15, 2020.
What can you do to protect yourself?
While it’s unfortunate that these incidents continue to occur, it’s essential to stay vigilant and take steps to protect your sensitive information. We encourage you to keep coming back to learn more about how to safeguard your data and stay informed about the latest cybersecurity news and trends.