HIV diagnoses, patient data released in Florida health department hack

TALLAHASSEE — Floridians’ recent HIV test results, detailed doctors’ notes and immunization and virus testing records were among thousands of state health department files seized by hackers — and released on the dark web last week.

Posted online are more than 20,000 files with some Floridians’ most sensitive information: lab results, signed medical release forms, workers compensation records and COVID-19 diagnoses. One file included a photo of a person’s passport. Another file is a woman’s negative mammogram result.

Many of the records include patients’ full names, dates of birth, addresses, Social Security numbers and insurance information. Most records are dated 2023 and 2024.

Florida Department of Health officials say they will be notifying patients whose personal information was illegally released.

The cyberattack was carried out by the international hacker group RansomHub, which demanded the state pay an undisclosed sum to prevent the release of the records. The state has a policy of not paying ransoms, and RansomHub released the files on its website on the dark web late last week.

The dark web is a subset of the internet used by people and groups to hide their locations and identities. It is not easily accessible.

The incident appears to be one of the worst data breaches in Florida’s history and far more extensive than officials in Gov. Ron DeSantis’ administration first acknowledged.

Last week, a Department of Health spokesperson waited more than three days to respond to inquiries from the Times/Herald about the hacking, then said that it suffered “a potential cyber incident” at the state’s online Vital Statistics system, used to issue birth and death certificates. That system remains down, frustrating Floridians needing to bury or cremate loved ones.

But many of the records released by the hackers are detailed test results labeled as coming from the Department of Health’s Bureau of Public Health Laboratories.

Three labs, in Jacksonville, Tampa and Miami, conduct tests for health departments and hospitals, including for infectious diseases such as HIV, hepatitis and COVID-19.

The files include names and in some cases intimate details written by doctors and nurses, such as one patient who was admitted to a South Florida hospital with multiple symptoms. Some people who tested positive or negative for hepatitis, dengue fever, salmonella, rabies and COVID-19 are included in the files.

The records appear far from a comprehensive list of everyone in the state who tested positive for those diseases. Most records viewed by the Times/Herald involve patients and hospitals in Broward County.

As the state’s public health agency, the Florida Department of Health, led by Surgeon General Joseph Ladapo, holds some of the state’s most sensitive information, including COVID-19 vaccine records, prescriptions for controlled substances and medical marijuana patient data.

None of that information appears in the records in a comprehensive format. Instead, the roughly 20,700 records are a hodgepodge of PDFs, document files, slideshows and spreadsheets. The Times/Herald viewed at most a couple hundred files to understand what type of information was stolen and released.

A health department employee’s workers compensation form is among the files, as well as detailed records about one woman’s premature birth in Broward County. The cybersecurity blog DataBreaches.net found in the files parents’ completed applications, with their Social Security numbers and expected delivery dates, for Florida’s Healthy Start Program, which provides Medicaid for new and expectant mothers.

But many, if not most, of the records appear to be harmless internal Department of Health information that might be considered a public record under state law: employee time off requests, expense reports, contracts, tattoo artist license applications and talking points about the state’s youth tobacco prevention campaign.

State response

When a person’s personal data is illegally released, state agencies have to notify the victim “as expeditiously as practicable and without unreasonable delay,” while taking into account the time needed to assess the breach and identify victims, according to state law.

Because the hacked files often aren’t labeled with a patient’s name, officials might face a painstaking task of opening each and looking for names and information.

“Any affected parties will be notified as a comprehensive assessment of the situation is completed,” Department of Health spokesperson Jae Williams said in a statement.

In the meantime, Williams said department health care providers are encouraged “to stay attentive to alerts from the Department and follow those best practices disseminated to secure data.”

Williams said the breach was part of a national wave of cyberattacks on health care providers. This week, RansomHub claimed to steal data from the pharmacy chain RiteAid. Earlier this year, hackers paralyzed the largest U.S. medical billing and payment system in the country, a subsidiary of UnitedHealth Group.

DeSantis’ administration in recent years has struggled to manage the surge in cyberattacks.

In the last three years, information on more than 10 million Floridians — equivalent to nearly half of the state’s population — has been exposed to hackers during breaches at state agencies, according to annual reports filed by the attorney general’s office. In many of those cases, Florida offered credit monitoring services to victims.

Times/Herald Tallahassee bureau reporter Alexandra Glorioso contributed to this report.