PHILADELPHIA — The City of Philadelphia (the “City”) announced today an update on its investigation into a security incident that may have permitted multiple employee email accounts to be accessed by unauthorized individuals. This update relates to the incident initially reported on June 1, 2020, which impacted individuals served by the Department of Behavioral Health and Intellectual disAbility Services (“DBHIDS”) and its business associate, Community Behavioral Health (“CBH”) (posted online here). CBH assists DBHIDS in administering the behavioral health Medicaid program (HealthChoices) for the Philadelphia region. The City’s investigation since the initial report revealed that the incident impacted email accounts utilized by additional City departments.
On March 31, 2020, DBHIDS learned that an employee’s email account had been compromised as a result of a phishing attack. The Office of Innovation and Technology’s Information Security Group (“OIT”) immediately secured the account and began an investigation. Following this initial discovery, OIT discovered multiple additional DBHIDS and CBH accounts that were compromised as part of the attack. The password for each account was changed promptly upon discovery. The City’s investigation efforts have confirmed that the DBHIDS and CBH accounts were subject to unauthorized access intermittently between March 11 and November 15, 2020. The investigation further confirmed that additional City departments’ accounts were intermittently subject to unauthorized access between the start of this incident and January 2021. This attack is believed to be connected to a series of malicious attacks that targeted health care and social services agencies during the COVID-19 global pandemic.
To date, the investigation has been unable to confirm whether any unauthorized persons have viewed any emails or attachments in the compromised accounts. The DBHIDS and CBH accounts contained demographic and health-related information of individuals receiving services and supports through DBHIDS and CBH, including:
- Names, dates of birth, addresses;
- Account and/or medical record numbers;
- Health insurance information;
- Clinical information such as diagnosis, dates of service, provider names, and description of services the individual has applied for or was receiving; and
- For a limited number of individuals, scans of birth certificates, driver’s licenses, and/or Social Security cards.
The City continues to review the information present in the remaining departments’ accounts but believes that such information may include a mix of personally identifiable information such as names, dates of birth, addresses, driver’s license numbers or state identification numbers, and Social Security numbers.
Last August, DBHIDS began sending individual notification letters to affected individuals, and in those letters, offered complimentary credit and identity monitoring services. Since August, DBHIDS has continued to send notification letters, and offer these services as the identities and addresses of individuals whose information may have been exposed were determined. Similarly, after CBH’s investigation concluded in March, CBH began sending out notice letters to the individuals potentially impacted in the incident. DBHIDS and CBH posted substitute notice of the incident on their websites on June 1, 2020 and have continued to provide updates as the investigation progressed.
The City is in the process of sending direct notifications to individuals identified through its review of the remaining departments’ accounts. The City encourages everyone to routinely remain vigilant against incidents of identity theft and fraud by regularly reviewing bank account and credit card statements and monitoring health insurance claims or service authorization history for suspicious activity.
The City has made significant security improvements in response to this incident and the increasing cyber threats to local governments. To better protect against future incidents, the City has increased monitoring of network activity and implemented additional tools to enhance email security such as expanding multi-factor authentication to cover all of City email accounts. As part of its ongoing commitment to information privacy and security, the City has also updated its security policies and procedures and continues to educate users on how to identify and avoid malicious emails.
Individuals served by DBHIDS with questions or concerns can call 1-855-763-0063 for more information. CBH members can call 1-833-664-2001 for more information. Individuals who are not associated with DBHIDS or CBH but receive direct notice of this incident will receive contact information to utilize for further questions regarding this incident.