Philadelphia: Hackers spent three months accessing city gov’t email accounts
The government of Philadelphia said hackers spent at least three months inside city email systems, giving them wide access to health information stored in email accounts.
The city did not respond to requests for comment about how many people were affected by the situation, but in a notice released on Friday officials said an unauthorized actor had access to some city email accounts from May 26 to July 28.
The city became aware of suspicious activity in its email environment on May 24 but did not explain the discrepancy between the dates listed in the notice. The city discovered on August 22 that some of the email accounts accessed had protected health information in them, but subsequently waited until October to notify residents.
“The City’s comprehensive, programmatic and manual review is ongoing, and the types of information impacted vary by individual. However, the types of information impacted could include: demographic information, such as name, address, date of birth, social security number, and other contact information; medical information, such as diagnosis and other treatment related information; and limited financial information, such as claims information,” they explained.
“Upon learning of this event, we immediately took steps further [sic] secure our systems and email environment. As part of our ongoing commitment to information security, we are also reviewing our existing policies and procedures, implementing additional administrative and technical safeguards to further secure information in our care, and providing additional training on how to safeguard information in our email environment.”
City officials reported the issue to other regulators as well as the U.S. Department of Health, which has not yet added the event to its public list of reported breaches.
The city said it is still working with a cybersecurity firm to investigate the incident. This is the latest breach involving the city after two incidents in 2020. One incident involved a breach of a contractor for the City’s Department of Behavioral Health and Intellectual Disability Services that leaked the sensitive information of more than 108,000 people.
The city notified another 49,000 residents of a phishing attack that gave hackers access to city email inboxes.
Both the Philadelphia Inquirer and the Philadelphia Orchestra dealt with cyberattacks earlier this year.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.