Cyber Incident Victim: City of Philadelphia

On May 24, 2023, the City of Philadelphia detected suspicious activity within its email environment, prompting an immediate investigation with assistance from third-party cybersecurity specialists. The investigation determined that between May 26 and July 28, 2023, an unauthorized actor potentially gained access to certain city email accounts. While the full scope remained under review, the compromised accounts contained sensitive information belonging to city employees. On August 22, 2023, officials confirmed these email accounts included protected health information (PHI), expanding the severity of the breach. The types of exposed data varied by individual but encompassed demographic details such as names, addresses, dates of birth, and Social Security numbers, alongside medical information including diagnoses, treatment details, and limited financial claims data. The breach period lasted 63 days, during which attackers maintained persistent access to email systems.

The city initiated containment measures by securing its email environment and systems upon discovery. It reported the incident to the U.S. Department of Health and Human Services and committed to notifying other regulators as necessary. A comprehensive manual and programmatic review of affected email accounts began to identify impacted individuals, with plans to issue written notifications once identities and contact details were verified. Concurrently, Philadelphia launched an internal review of information security policies, implemented additional administrative and technical safeguards, and expanded employee training on email security protocols. The investigation remained ongoing as of October 20, 2023, with no public attribution to specific threat actors or disclosure of initial attack vectors. The incident exposed vulnerabilities in the city’s email-based data handling, particularly concerning PHI storage and transmission practices.