Florida Department of Health, thousands of sensitive data records have been published by the RansomHub group

Florida Department of Health, thousands of sensitive data records have been published by the RansomHub group 1

The data theft from the Florida Department of Health servers should not surprise us at all, considering that David Taylor, former Chief Information Officer of the State of Florida and Executive Director for the Agency for Enterprise Information Technology, a position he held from 2008 to 2012, had already predicted it in 2021.

Journalist Lawrence Mower of the Tampa Bay Times reported in an article a statement from Taylor, who said that the only reason the state had not yet experienced a critical system-wide breach was that attackers were busy targeting wealthier victims.

Last June, an affiliate of the ransomware group RansomHub managed to infiltrate the Florida Department of Health’s IT systems, exfiltrating 100GB of data.

RansomHub gave the Department of Health a deadline to pay the ransom, after which the data would be published on their .onion blog. After the ransom went unpaid, RansomHub released a considerable amount of data on their blog.

Yesterday, after we sent emails to the Florida Department of Health and five other Department offices requesting a statement on the matter, Jae Williams (Deputy Communications Director, Florida Department of Health) emailed us, letting us know that…

Marco,

The Florida Department of Health (Department) is working diligently to resolve the temporary outage impacting the online Vital Statistics system. To facilitate continued operations of death certificates, the Department has worked closely with funeral homes and health care facilities to implement offline procedures during this period.[…]

“We are working around the clock to restore the online Vital Statistics system,” said State Surgeon General Dr. Joseph Ladapo. “The majority of Department operations and services remain operational and unchanged.”

County health departments remain able to issue copies of birth certificates for individuals born before June 28, 2024. For births on or after this date, the Department is working with hospitals to continue manual processing of birth certificates.[…]

[…]For questions and concerns regarding Vital Statistics services, please email [email protected].

The email we received contains no statement explaining to the media, and especially to the citizens, what really happened. In an article published by the Tampa Bay Times on July 3rd, a department spokesperson referred to Governor Ron DeSantis, confirming that the department had experienced “a potential cybersecurity incident.”

These statements lack full transparency and do not clarify the true severity of the situation. They fail to appropriately identify what actually occurred to the Department’s IT infrastructure, which was a ransomware attack.

The Florida Department of Health suffered a ransomware attack, resulting in the loss and subsequent publication of a *vast amount of sensitive data (PHI and PII) of citizens. This is unequivocal, as the documents are still accessible on Tor networks.

*The data published by RansomHub is only a portion of the total 100GB exfiltrated from the servers.

Florida Department of Health, thousands of sensitive data records have been published by the RansomHub group 2

Screenshot and redaction by SuspectFile.com

 

Florida Department of Health, thousands of sensitive data records have been published by the RansomHub group 3

Screenshot and redaction by SuspectFile.com

SuspectFile.com has had the opportunity to analyze these documents, and we can confirm that they do not only pertain to administrative documents or the Vital Statistics system. Among the thousands of documents analyzed, there are:

– Copies of patient medical records
– Copies of diagnostic exams
– Chest X-Ray Scheduling Logs
– Copies of WIC Program Notification of Ineligibility/Suspension Forms
– Copies of Certifications of Birth
– Copies of Verification of HIV
– Florida Confidential Vector-Borne Disease Infection Case Reports
– Salmonellosis Case Report Forms
– Copies of medical documents issued by Emergency Rooms
– Copies of medical documents issued after outpatient visits
– Copies of laboratory tests
– Copies of driver’s licenses
– Copies of passports
– Names and surnames of patients and employees
– Residential addresses
– Social Security Numbers (SSNs)
– Email addresses
– Phone numbers
– Health insurance numbers

and, as previously mentioned, copies of administrative documents. To use an understatement, we would describe this situation as alarming.

In two Excel files [“(OLD DMI) Chest X-Ray Scheduling Log.xlsx” covering the period from January 2022 to October 2023 and “(New) Chest X-Ray Scheduling Log.xlsx” covering the period from November 2023 to June 2024], we found a total of 4,316 patient names who underwent Chest X-Ray exams.

The documents include:

– Patient names
– Dates of birth
– Names of the diagnostic centers used

Florida Department of Health, thousands of sensitive data records have been published by the RansomHub group 4

Screenshot and redaction by SuspectFile.com

In various tables, the data also include numbers, with percentages, related to the quantity of exams performed at each of the 7 medical-hospital facilities used during the period from 2022 to 2024:

– DMI-Plantation
– DMI-Hollywood
– DMI-Pembroke Pines
– Broward Health Medical Center
– POM MRI – Cooper City
– POM MRI – Plantation
– Hollywood Diagnostic Center

Florida Department of Health, thousands of sensitive data records have been published by the RansomHub group 5

Screenshot and redaction by SuspectFile.com

Among the data published by the ransomware group, there are, for example, laboratory test results, medical documents indicating HIV positivity, and, unfortunately, medical records of minors. One of these records pertains to an 8-year-old child. Additionally, many other sensitive documents stored without any protection on the Florida Department of Health servers have been published.

Florida Department of Health, thousands of sensitive data records have been published by the RansomHub group 6

Screenshot and redaction by SuspectFile.com

What has been done to protect these data?

This represents a grave negligence that, in our opinion, is also due to the poor management of cybersecurity by the department in recent years. As we have read in articles published in local newspapers, this may be attributed to the poor selection of personnel appointed to lead one of the most delicate and strategic departments of any public administration, which stores hundreds of thousands of citizens’ data in its digital archives.

As of the time of writing this article, no statement regarding the incident has been published on the homepage of the official website.

SuspectFile.com will update the article with any new developments.