Hillsborough Notifies Residents, Vendors of Global Data Breach

Hillsborough County, Fla. (July 14, 2023) - Hillsborough County has notified some vendors and residents that a global data breach involving the MOVEit file transfer tool might have put some of their personal information at risk.

On June 1, Hillsborough County was notified by MoveIT, a HIPAA-compliant third-party file transfer service provider, of a global data breach. Hillsborough County Cyber Security staff immediately contacted the company for further details and instructions and installed all updated security patches as provided by the vendor. Over the following two weeks, staff continued to work with the vendor on additional security patches and received additional information.

On June 18, Cyber Security staff learned that Hillsborough County files could have potentially been impacted by the breach and in coordination with the County's HIPAA Officer reviewed the affected files. It was determined that the files belonged to the Healthcare Services and Aging Services departments and potentially contained protected health information and personal information. Protected health and personal information could include first and last names, Social Security numbers, dates of birth, home addresses, medical conditions and diagnoses, and disability codes.

Hillsborough County files were not specifically targeted in the cyberattack, but the County was potentially affected as a customer of MOVEit.

The breach potentially affected files involving those served by Hillsborough County Health Care Services, which oversees the delivery and administration of a wide variety of medical services, including the County's managed-care plan for residents who don't qualify for other health care coverage. The breach also potentially affected Aging Services vendor employees (106). The County has notified 12 vendors of Hillsborough County Aging Services that the data breaches potentially exposed information involving their employees. The vendors will notify their employees.

It is unknown how many people might have had their health or identification information compromised, but in an abundance of caution, Hillsborough County has mailed notification letters to clients of Healthcare Services and known affected vendors of Aging Services - a total of 70,636 people - of the data breach.

Hillsborough County is notifying the credit monitoring bureaus of all those potentially impacted by the data breaches as well as the Florida Department of Legal Affairs/Office of Attorney General and the U.S. Department of Health and Human Services' Office of Civil Rights.

Hillsborough County advises those notified of the potential breach to consider taking these steps to protect themselves from potential fraud:

Call the toll-free numbers of any one of the three major credit bureaus (below) to place a fraud alert on your credit report. This can help prevent thieves from opening additional accounts in your name. As soon as the credit bureau confirms your fraud alert, the other two credit bureaus will automatically be notified to place alerts on your credit report as well.

• Equifax: 1-866-640-2273; Equifax.com

• Experian: 1-888-EXPERIAN (397-3742); Experian.com

• TransUnion: 1-800-680-7289; Transunion.com

Establishing a fraud alert will prompt a follow-up letter that will explain how to receive a free credit report. When you receive your credit report, examine it closely for signs of fraud, such as credit accounts that are not yours. Continue to monitor your credit reports. Even if a fraud alert has been placed on your account, you should continue to monitor your credit reports to ensure that an imposter has not opened an account with your personal information.

Individuals with questions may reach the County at the dedicated toll-free number 1-833-963-4357 between 8 a.m. and 5 p.m. Monday through Friday. The toll-free number will open at 8 a.m. Monday, July 17.