City of Philadelphia

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The City of Philadelphia experienced a data breach that was first detected on May 24, 2023, when officials noticed suspicious activity within the city’s email system. The breach involved unauthorized access to city email accounts between May 26 and July 28, 2023. The compromised accounts contained personal and protected health information (PHI), including demographic details such as names, addresses, dates of birth, Social Security numbers, medical information like diagnoses and treatment-related information, and limited financial data such as claims information[1][3][7][9][13][15].

The city engaged third-party cybersecurity experts to investigate the breach and is conducting a comprehensive review of the affected email accounts to identify any potential breaches of personal information. Once the review is completed, the city will confirm the identities and contact information of potentially impacted individuals and notify them via written correspondence[1][3][7][9][13][15].

The city has reported the cyber breach to the U.S. Department of Health and Human Services and is reviewing its existing policies and procedures, implementing additional safeguards, and providing additional training to staff to further secure information[1][3][7][13][15].

Affected individuals have been advised to remain vigilant by reviewing account statements, credit reports, and any unusual activity. They should report any suspicious activity promptly to their insurance company, healthcare provider, or financial institution[1][3][7][15].

The city has also established a toll-free line for those potentially impacted, which can be reached at 1-888-867-2241, and has recommended that individuals take proactive measures such as obtaining free credit reports, placing fraud alerts, or implementing credit freezes on their credit files[3][7].

The incident has raised concerns about the delay in public disclosure, as the breach was detected in May but was not publicly disclosed until October. This delay has been criticized, especially considering Pennsylvania’s breach disclosure law, which requires municipalities to disclose a breach within seven days[7][9][15].

Citations:

  1. https://www.darkreading.com/cyberattacks-data-breaches/city-of-philadelphia-releases-cyber-breach-notice
  2. https://www.inquirer.com
  3. https://www.inquirer.com/news/philadelphia/data-breach-philadelphia-city-email-security-20231020.html
  4. https://6abc.com
  5. https://www.phila.gov/services/permits-violations-licenses/pay-a-penalty-fine-or-ticket/pay-a-code-violation-notice-cvn/
  6. https://www.dhs.gov
  7. https://www.infosecurity-magazine.com/news/philadelphia-alert-may-data-breach/
  8. https://www.ccp.edu
  9. https://securityaffairs.com/152909/hacking/city-of-philadelphia-data-breach.html
  10. https://www.nbcphiladelphia.com
  11. https://www.phila.gov/services/permits-violations-licenses/
  12. https://www.nbcphiladelphia.com/news/local/le-family-shooting-fire-east-lansdowne/3771749/
  13. https://statescoop.com/philadelphia-city-health-data-cyberattack-orange-county/
  14. https://www.aus.com
  15. https://www.bleepingcomputer.com/news/security/city-of-philadelphia-discloses-data-breach-after-five-months/
  16. https://www.tsa.gov
Breach Submission Date Oct 20, 2023
Converted Entity Name City of Philadelphia
Converted Entity Type Health Plan
State PA
Individuals Affected 501
Breach Type Hacking/IT Incident

Breach Information Location Email

Business Associate Present Yes