The City of Philadelphia Discloses Data Breach

The City of Philadelphia has come forward to disclose a substantial data breach, revealing that unauthorized actors may have gained access to City email accounts containing sensitive personal details and protected health information. The breach, initially discovered on May 24 due to suspicious activity in the City's email environment, was only publicly disclosed after a five-month investigation.

According to details provided by BleepingComputer, the threat actors potentially accessed the compromised email accounts for at least two months following the City's discovery of the incident, with the unauthorized access being believed to have occurred between May 26, 2023, and July 28, 2023. The City is currently conducting a comprehensive review of the potentially impacted email accounts to ascertain the full extent of the breach and identify the individuals affected.

The exposed information in the breach includes details such as names, addresses, dates of birth, social security numbers, and other contact information. Additionally, medical information, including diagnoses and treatment-related details, as well as limited financial information like claims data, were also potentially compromised.

City officials have urged individuals who may have been affected by the breach to remain vigilant against financial fraud and identity theft. They have advised monitoring credit reports and account statements closely and to promptly inform their insurance company, healthcare provider, and bank about any suspicious activity.

The City has not provided specific details on how the attackers breached the email accounts or why there was a significant delay in disclosing the incident. This incident follows a previous HIPAA breach disclosed by the City's Department of Behavioral Health and Intellectual Disability Services (DBHIDS) in June 2020.

In response to the breach, the City is conducting a thorough review of the potentially impacted email accounts to determine whether personal or protected health information was stolen. If so, the City will work to confirm the identities and contact information of impacted individuals and provide notice via written letter.

This data breach highlights the ongoing challenges that organizations face in protecting sensitive information and the importance of prompt response to security incidents. It also serves as a crucial reminder for individuals to take proactive steps in monitoring their personal and financial information to safeguard against potential fraud and identity theft.