9 Investigates

Hear from patient whose medical records got leaked in Florida health department data breach

ORLANDO, Fla. — It’s been nearly three weeks since thousands of files from the Florida Department of Health were leaked onto the dark web.

WATCH CHANNEL 9 EYEWITNESS NEWS

Now, sensitive medical information on dozens of Floridians is out there and even more than what we originally reported.

9 Investigates confirmed RansomHub, an international ransomware gang, published more than 50,000 files are on the dark web earlier this month.

We learned many of the patients whose information was compromised likely still don’t know.

Read: State lawmakers demand answers from Florida Department of Health after massive data breach

Earlier this month, we worked with a cyber threat analyst that accessed the names of each of the files. We found dozens of patients’ names listed on the files. Over the past two weeks, we’ve gone through those file names and contacted some of the victims.

We spoke to one man who was tested for HIV. He had heard of the hack but had no idea his information was out there.

Another man we spoke with, Glenroy Davey, said he also didn’t know his information was leaked. He was taken to a hospital after he was attacked by a pitbull.

Read: 9 Investigates confirms stolen Florida patient data published to dark web

Patients concerned about compromised information

“When you called me and you said you said all this information to me about what happened, I was like, whoa, where did she get all this?,” Davey said.

We found two of Davey’s records among the leaked files. It was labeled with his name and “animal bite”.

The attack happened more than three months ago—on April 15. Davey says it was a day that started like any other. Davey and his dog took their normal morning walk around the neighborhood.

But the morning of April 15, a pitbull charged towards them.

“I feel like something grabbed my finger. So I grabbed my finger right away, and he come back again,” Davey said.

Then, the pitbull attacked Davey’s 8-year-old dog, Jazz.

“And he didn’t let it go for a good 15, 20 minutes,” Davey said.

The vet said the vicious attack was too much for Jazz to survive.

“I miss him with all of my heart. It’s like a son, you know, a child,” Davey said.

Read: Florida Department of Health confirms it was targeted by criminal hacking group

The attack left Davey with a gash on his leg and more on his hands.

Medical staff documented the attack and Davey’s condition.

We found it all on the dark web.

In the form, we found his address, phone number, date of birth and more information on the attack.

“You you don’t know what these people [hackers] have. You know, I don’t know what’s going on right now with my information,” Davey told 9 Investigates.

There were files on other Florida patients that were much more sensitive than Davey’s.

It includes lab work for HIV and hepatitis, detailed doctor’s notes, birth certificates, and social security numbers.

Sometimes, the files had the results. We found one file showing a lost pregnancy next to a patient’s name.

Several records tie back to Broward County

9 Investigates found many patients had something in common with Davey.

Majority we contacted or searched either lived or were treated in Broward County.

We also found files with employees’ names. All either worked or once worked at the Broward County Health Department. Files were labeled as flyers for different Broward County events.

There were mentions of more than a dozen Broward County Schools

Several records tied to the February measles outbreak at an elementary school, including files of who the infected patients had contact with.

Overall, 9 Investigates found more than 600 mentions of Broward-- solely in the label on the file.

“They all seem to be from one source, which you can make conclusions. You can draw some inferences from that. Although we don’t really know whether they gained access to data from a specific county, and just happened to gain some additional data from outside that county,” said Luke Connolly, cyber threat analyst with Emsisoft.

Read: ‘Possible cyber incident’ delaying Florida from issuing new birth, death certificates

At this point, Connolly says there really is no way to know for sure if only Broward County Health Department was hacked or if this was a statewide breach.

If the breach happened in Broward County, it still could have provided access to statewide records.

He says where the breach originated and who all was affected will be revealed as the Florida Department of Health continues their investigation.

We asked the Florida Department of Health if it’s identified Broward as the point of entry for the hackers. The spokesperson did not respond.

However, in a previous statement from July 12, the department said it’s still working to understand the scope and extent of the attack.

In that same statement, the department said it would notify “any affected parties” after it completes a “comprehensive assessment.”

Hack victims want transparency from the state

Either way, Davey says he feels like he should have been notified earlier. He says his information should have been more protected.

“I think the organization that’s responsible for this disinformation is doing a sloppy job because that information should never be able to get into the hands of someone else,” Davey said.

We contacted only a handful of the victims. We found the patients solely using the label on the files. We did not access the contents of the files with the exception of Davey’s records.

All patients we spoke to said we were the only ones to contact them about the breach--not the Florida Department of Health.

“I have never received a call from them,” Davey said.

Read: Hackers claim massive data heist of Florida Health Department system

“I have to think of the ‘what ifs.’ What if a cybercriminal would have contacted you instead of a journalist. They could have used that information to blackmail or target you? Are you concerned about that?,” investigative reporter Ashlyn Webb asked.

“I am concerned. I am concerned now more than ever because, you know, you don’t know where these people are coming from these days,” Davey said. “But I never knew it would come my way.”

Davey says he’s concerned of what could happen with his compromised information now that he’s learned he is a victim of the breach. He says this is added stress along with losing a dog and paying piling medical bills.

When asked for an update on the breach investigation, the Florida Department of Health said it would provide additional information “when appropriate,” but referred to its previous statement.

The agency provided 9 Investigates with the following statement July 12:

“The Florida Department of Health (Department) is working diligently with law enforcement and all relevant stakeholders in responding to one of multiple attacks perpetrated by criminal hacking organizations against several states in a nationwide and worldwide trend of cybersecurity attacks targeting healthcare organizations. The majority of Department systems and services remain operational with no disruptions. In an effort to protect the private data of Floridians, certain systems were proactively brought offline to strengthen security measures and bolster monitoring. The Department remains engaged in protecting data as the scope and extent of this attack is fully understood.

Any affected parties will be notified as a comprehensive assessment of the situation is completed. We encourage all FDOH healthcare providers to stay attentive to alerts from the Department and follow those best practices disseminated to secure data.

This incident has also been referred to FDLE for investigation, and criminal activity will be prosecuted to the fullest extent of the law.”

Click here to download our free news, weather and smart TV apps. And click here to stream Channel 9 Eyewitness News live.

0