Cyber Incident Victim: Hillsborough County

On or around June 1, 2023, Hillsborough County was notified by MOVEit, a third-party file transfer tool, of a global data breach impacting its software. The county’s use of MOVEit was for services that comply with federal Health Insurance Portability and Accountability Act (HIPAA) regulations. The breach was not a targeted attack against Hillsborough County specifically; rather, the county was potentially affected as a customer of the compromised third-party service. This global cyberattack had also impacted numerous higher education, healthcare, and other institutions across the nation.

Upon notification from MOVEit on June 1, county staff immediately began installing security measures provided by the vendor to address the vulnerability. The county’s cybersecurity staff subsequently learned on June 18 that files belonging to two specific departments, Health Care Services and Aging Services, had potentially been at risk due to this breach. An investigation was initiated to determine the scope and impact of the potential data exposure.

The investigation confirmed that the files contained protected health information and personal identification information. The types of data potentially accessed included individuals' names, Social Security numbers, dates of birth, and home addresses. Furthermore, the files contained sensitive health information such as medical conditions, diagnoses, and disabilities. This data was related to individuals served by the Hillsborough County Health Care Services department, which oversees the delivery and administration of medical services, including the county’s managed-care plan for residents who do not qualify for other health care coverage.

The total number of individuals potentially affected was substantial. Hillsborough County mailed official notification letters to 70,636 people to inform them that their personal and health information may have been compromised in this incident. Beyond the clients of the county services, the breach also impacted employees of vendors working with the county. The breach potentially affected 106 people employed by a dozen different vendors used by the county’s Aging Services Department. These vendors were separately notified that their employees' data could have been compromised.

In response to the incident, Hillsborough County undertook several specific actions to address the potential harm to affected individuals. The county committed to notifying the major credit monitoring bureaus about all those potentially impacted by the data breach. This step was taken to help monitor for and prevent potential identity theft or fraud resulting from the exposure of personal information. Furthermore, in compliance with legal and regulatory requirements, the county began notifying the Florida Department of Legal Affairs, which includes the Office of the Attorney General, and the U.S. Department of Health and Human Services’ Office for Civil Rights.

To provide direct support and information to the affected residents, the county established a dedicated, toll-free helpline. This phone number, 1-833-963-4357, was set to become operational at 8 a.m. on Monday, July 17, 2023. The helpline was scheduled to be available from 8 a.m. to 5 p.m., Monday through Friday, to answer questions from concerned individuals and provide guidance on the steps being taken. The public notification of the breach was made via a county news release on May 31, 2023, which detailed the nature of the incident and the county's response efforts.