Healthy Kids children’s insurance organization discovered its data had been left exposed for 7 years because its hosting company failed to patch a vulnerability. Data breached included the personal information of thousands of health plan applicants.
The Cause: An Unpatched Vulnerability
Healthy Kids is a US children’s insurance organization based in Florida. It was established in 1990 to help uninsured children get access to affordable health insurance. It administers a dental and health insurance program for children aged 5 through to 18.
Furthermore, the organization runs an online children’s health insurance application for its health plan holders and applicants. However, it was recently forced to shut the website down when it was made aware that its data may have been breached. Healthy Kids was notified by cybersecurity experts that its web hosting company, Jelly Bean Communications Design, had experienced a data breach. And that, consequently, their online application may also have been compromised.
This led Healthy Kids to employ independent cybersecurity experts to review their systems. The experts found significant vulnerabilities in the hosted website platform. Moreover, they discovered anomalies in the databases that support the online application. According to a press release from Healthy Kids (press release seems to be removed by source), the cause of the incident was the web hosting vendor. They allegedly failed to apply security patches to their software. This exposed the website to vulnerabilities that were ultimately exploited by cybercriminals.
The vulnerabilities spanned a 7-year period from November 2013 until December 2020. Healthy Kids’ online application data was left exposed for the full duration of this 7-year period.
Last week, Healthy Kids notified hundreds of thousands of its health plan holders and applicants of the 7‑year data breach via a press release. The press release states that the private information of several thousand insurance applicants had been accessed by hackers. Furthermore, the cybercriminals tampered with applicants’ address data. However, Healthy Kids says that it has no evidence that anyone’s data had been removed from the system.
The information exposed included individuals’ full names, dates of birth, email addresses and phone numbers. As well as physical and mailing addresses, Social Security numbers and family relationships. Also, accessed was certain financial information relating to applicants’ wages, alimony and child support.
The tampering with data and the potential exposure of personal information dating back to November 2013, constitutes a reportable data breach under Florida and US federal law.
Healthy Kids Response to the Breach
In response to the breach, Healthy Kids have stated that they are “committed to taking every reasonable step to prevent future breaches.” Consequently, the organization is reviewing their security policies and practices so as to identify ways of strengthening them.
The organization is also moving its online platform to a new hosting company. The press release states that “The Florida KidCare online application will remain down until it is restored by our new web hosting vendor.”
The press release also recommends that individuals who applied for health plans between November 2013 and December 2020 set up fraud alerts or security freezes. The document details what these are and how to go about putting them in place. These security measures are recommended, since with the type of data exposed, identity theft is possible.