Florida’s Agency of Healthcare Administration is notifying 30,000 Medicaid patients their data may have been breached after an employee fell for a malicious phishing email in November.

The agency discovered the event on Nov. 20 and reported the event to its Inspector General. Officials were notified of preliminary results of an Inspector General review last week, which found no other systems or email accounts were part of the incident.

However, hackers possibly accessed Medicaid enrollee names, Medicaid ID numbers, dates of birth, addresses, diagnoses, medical conditions and Social Security numbers. The data of up to 30,000 patients was partially or fully accessed, and Social Security numbers or Medicaid IDs exposed for about 6 percent.

After the breach, the agency required employees to change login credentials to prevent further access and took steps to remediate the breach. Further, the agency implemented new security training, in addition to its ongoing training, to improve its security training for all employees and is looking into additional security functions.

Officials conducted a full review of the organization’s data to determine the circumstances around the breach, which is still ongoing. But those impacted are being offered a year of free credit monitoring.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com