Cyber Incident Victim: Florida Healthy Kids Corporation

On December 9, 2020, Florida Healthy Kids Corporation (FHKC) disclosed a breach of its website affecting applicants and enrollees in the Florida KidCare program. The incident was attributed to Jelly Bean Communications Design, FHKC’s web hosting vendor for the prior seven years. Unpatched vulnerabilities in the vendor’s software allowed unauthorized access to personal information between November 2013 and the breach’s discovery date. Exposed data included full names, dates of birth, email and physical addresses, telephone numbers, Social Security Numbers, and detailed financial information such as wages, alimony, child support, royalties, other income sources, and tax deductions. Family relationships listed on applications and secondary insurance details were also compromised. FHKC confirmed the vendor identified the intrusion but did not specify the exact number of affected individuals at the initial disclosure.

An independent forensic investigation commissioned by FHKC determined that Jelly Bean Communications Design failed to apply necessary security patches, leaving the website susceptible to exploitation. Hackers manipulated data within the system, altering street addresses in some Florida KidCare applications. FHKC published an incident notice and FAQ on its website to inform the public, though it did not detail technical containment measures beyond terminating the vendor’s access. On February 12, 2021, the breach was reported to the U.S. Department of Health and Human Services as impacting 3.5 million individuals, reflecting the scale of exposure over the seven-year period. No additional attacker motives or methodologies were disclosed beyond the exploitation of unpatched software vulnerabilities.