Security Incident Information

We are committed to taking every reasonable step to prevent future breaches, which will include a review of our current security practices and policies to identify ways to strengthen them.

Continue reading to learn details of the incident and find a list of frequently asked questions. This will give you information to help protect yourself against the potential of harm.

If you have additional concerns, you can email your questions to [email protected], or call us at 1-888-540-KIDS (5437) Monday-Friday from 7:30 am–7:30 pm EST.

---

Florida Healthy Kids Announces Cybersecurity Incident

TALLAHASSEE, Fla. – The Florida Healthy Kids Corporation (FHKC) today announced a cybersecurity incident experienced by its vendor, Jelly Bean Communications Design, LLC., which was responsible for hosting the FHKC website at the time of the incident. The security incident involved the personal data of online applicants and enrollees. FHKC has no confirmation at this time that anyone’s personal information was removed from the system.

FHKC was notified on December 9, 2020, that several thousand applicant addresses had been inappropriately accessed and tampered with. These addresses are collected as part of the online Florida KidCare application. FHKC engaged independent cybersecurity experts to conduct a thorough review of the incident to confirm the scope and severity of the security incident.

The cybersecurity experts identified significant vulnerabilities in the hosted website platform and the databases that support the online Florida KidCare application. FHKC learned that these vulnerabilities spanned a seven-year period from November 2013 until December 2020. FHKC temporarily shut down the website and databases in December 2020.

The tampering of applicant addresses, together with the potential exposure of personal information dating back to November 2013, constitutes a reportable data breach under Florida and federal law.

The types of information that may have been exposed include:

• Full Name and Date of Birth
• Email Address and Telephone Number
• Physical Address and Mailing Address, if different
• Social Security Number
• Financial Information, to include wages, alimony, child support, royalties, other income, and tax deductions
• Family relationships of those individuals included on the Florida KidCare Application (i.e. mother of child, sister/brother of applicant, etc.)
• Secondary Insurance Information

What Consumers Can Do To Protect Themselves

Individuals who applied or enrolled with Florida KidCare coverage between November 2013 – December 2020 are encouraged to take readily available steps to protect themselves from potential harm, including:

• Fraud alerts – Fraud alerts are a free service offered by all three national credit reporting agencies (Experian, Equifax and TransUnion) and requires potential creditors to contact an individual before any new account is opened. Fraud alerts remain in place for one year, and consumers only need to contact one credit agency for all three credit agencies to place a fraud alert on an account.
• Security freezes - Security freezes are beneficial tools for parents to protect children who have no need for credit accounts. A security freeze, also known as a credit freeze, is the best way to prevent new accounts from being opened without a person’s permission. It is a free service offered by all three national credit reporting agencies (Experian, Equifax and TransUnion) that prevents new credit accounts from being opened under someone’s name without written authorization. Be aware that a security freeze will impact the ability to apply for new credit (such as a car loan, home loan, credit card, etc.). Unlike a fraud alert, consumers must contact each credit reporting agency separately to set up a security freeze.
• Monitoring - Close monitoring of all credit card, bank, and credit agency reports for any unusual activities is recommended. For additional information on how to protect one’s identity and to report identity theft, visit the Federal Trade Commission's website at www.ftc.gov.

To set up a fraud alert or security freeze, please contact the three national credit reporting agencies below:

1. Equifax: 1-800-525-6285; www.equifax.com
2. Experian: 1-888-397-3742; www.experian.com
3. TransUnion: 1-800-680-7289; www.transunion.com

FHKC is committed to taking every reasonable step to prevent future breaches, which will include a review of our current security practices and policies to identify ways to strengthen them. FHKC is accelerating efforts previously underway to transition the website to a new vendor. These efforts will help ensure family information is protected.

Information has been posted on the FHKC website, www.healthykids.org, where consumers can learn more information and read frequently asked questions. Consumers can also email questions to [email protected], or call 1-888-540-KIDS (5437) Monday-Friday from 7:30 am–7:30 pm EST.

---

Frequently Asked Questions

• What happened?
  Florida Healthy Kids uses an outside vendor to host the Florida Healthy Kids website. Our vendor’s web hosting platform was hacked. Personal information supplied by Florida families who completed our online Florida KidCare Application has been exposed by hackers to unauthorized individuals who could have used (or may use) that personal information.
   
• When did Florida Healthy Kids learn about the hack?
  December 9, 2020.
   
• How has Florida Healthy Kids notified Florida families about this hack?
  Yes. Florida Healthy Kids issued a press release to print and broadcast media outlets.
   
• What did Florida Healthy Kids do when it learned about the hack?
  Florida Healthy Kids took down its website. Florida Healthy Kids hired a cybersecurity expert to investigate the hack to tell us what information may have been used, altered, exposed or removed from the database.
  
  The Florida KidCare online application will remain down until it is restored by our new web hosting vendor.
   
• What did your cybersecurity expert discover?
  Florida Healthy Kids learned that its web hosting vendor had failed to apply security patches to its software, thereby exposing the website to vulnerabilities that were ultimately exploited by the hackers.
   
• Why did Florida Healthy Kids have my personal information in the first place?
  If you applied for benefits online or if you renewed your health or dental coverage between 2013 and 2020, you supplied that personal information yourself when you completed the Florida KidCare Application.
   
• What pieces of my personal information may have been exposed to the hackers?
  Florida Healthy Kids discovered that street addresses in some of the Florida KidCare applications were altered by the hackers.
  
  Although our cybersecurity expert did not find evidence that any other personal information was altered, used or accessed, given the length of time during which the webhosting software was vulnerable to attack, all of your personal information in Florida KidCare application could have been exposed, used or accessed by the hackers:
  • full names
  • dates of birth
  • email addresses
  • telephone numbers
  • physical addresses and mailing addresses
  • Social Security numbers
  • financial Information (including wages, alimony, child support, royalties, other income, and tax deductions)
  • the family relationships of those individuals included on the Florida KidCare Application (for example, mother of child, sister/brother of applicant, etc.)
  • secondary insurance information
  
  
• Was any medical information about my family exposed or used in the hack?
  No. No medical information or treatment information was stored in the hacked database.
   
• Were any medical records of any of my family members exposed or hacked?
  No. No medical records were stored in the hacked database.
   
• How might the hack of the Florida Healthy Kids website affect me and my family?
  If an unauthorized individual who has accessed our database actually uses your personal information for criminal purposes—such as identity theft or credit fraud—you could be negatively affected.
   
• Will this security incident impact my child’s insurance coverage?
  No. The Florida KidCare coverage of current enrollees will not be affected.
   
• If the Florida Healthy Kids website is down, how do I complete an application I previously started?
  You will need to start over. You will need to replicate the information previously entered on your Florida KidCare Application by completing an ACCESS application on the website of the Department of Children and Families. You may also find the ACCESS application by visiting either the Florida KidCare or the Healthy Kids website homepages and click “Apply” to be automatically routed there.
  
  If your children are eligible for a $15 or $20 per month plan, or a full-pay plan, then your application will be automatically sent to Florida KidCare for final processing. There is nothing extra you need to do to make sure your application reaches us. We thank you for your patience.
   
• What if I’m an existing enrollee and need to upload documents to my account?
  If you need to submit documents for your application or renewal, you have these convenient options:
  • Email copies to [email protected],
  • Mail copies to P.O. Box 591, Tallahassee, Florida 32302-0591, or
  • Fax copies to 1-866-867-0054
  As with any information shared over the Internet, please be aware that emails must be encrypted in order to be secure. Without encryption, a third party may be able to intercept, read, alter, forward, or use the email without your authorization or detection. Your email provider (Yahoo, Gmail, etc.) will have specific information on how to encrypt email messages. Please do not password protect your documents, as doing so could delay or prevent our processing of your application or renewal.
   
• I need to make a change to my AutoPay. How do I do that?
  Our customer service representatives would be happy to help. Please give us a call at 1-888-540-5437 Monday-Friday from 7:30 a.m. to 7:30 p.m. ET.
   
• I need to make other changes to my online account. How do I do that?
  Our customer service representatives would be happy to help. Please give us a call at 1-888-540-5437 Monday-Friday from 7:30 a.m. to 7:30 p.m. ET.
   
• Is my personal information safe with Florida Healthy Kids?
  Yes. The security of your personal information is important to us and we take this responsibility seriously. We have taken appropriate steps to ensure your personal information is and remains safe, and we are implementing new policies and procedures in the aftermath of this hack.
   
• Should I check my credit report? How do I do that?
  Yes. You should check your credit reports regularly, regardless of whether your personal information might have been exposed through a security breach. By law, you are entitled to a free annual credit report from each of the three national credit reporting agencies (Experian, Equifax, TransUnion). When you receive your credit report, review it carefully for signs of suspicious activity, errors, and inconsistencies. Checking your credit report will not affect your credit rating. If you have questions or notice incorrect information, contact the credit reporting company directly. You can request your credit reports from all three national credit reporting agencies at annualcreditreport.com, or by calling us (877) 322-8228.
   
• What are some common warning signs of identity theft or fraud that I should be looking for on my credit accounts?
  According to annualcreditreport.com, the following are common warning signs of identity theft or fraud:
  • Bills that do not arrive as expected
  • Unexpected credit cards or account statements
  • Denials of credit that you did not apply for
  • Calls or letters about purchases you did not make
  • Charges on your financial statements that you do not recognize
  • Incorrect information on your credit reports - accounts or addresses you do not recognize or information that is inaccurate
  
  
• How can I protect my credit?
  You may place a fraud alert or security freeze on your credit accounts as precautionary measures.
  
  A fraud alert notifies creditors to contact you before they open new accounts or change existing ones. It is an extra layer of security for your credit account. You may request a fraud alert from each of the three major credit reporting agencies, free of charge and it will be valid for one year. You may renew the fraud alert as often as necessary. After the first credit reporting agency confirms your fraud alert, the other two credit reporting agencies will be instructed to place alerts on your credit report. A fraud alert does not affect your credit score and still allows you to make purchases on your credit card whenever you want.
  
  A security freeze prevents lenders from checking your credit in order to open new accounts. If a security freeze is in place, no lender may open a new account in your name without your written authorization. Be aware that a security freeze will impact your ability to apply for new credit (such as car loan, home loan, credit card, etc.). This is a free service.
  
  To set up a fraud alert or security freeze on your credit accounts, you need to contact the three national credit reporting agencies below:
  • Equifax: 1-800-525-6285; www.equifax.com
  • Experian: 1-888-397-3742; www.experian.com
  • TransUnion: 1-800-680-7289; www.transunion.com
  
  
• If I think my information may have been impacted by this cybersecurity incident, who should I call?
  You should call us at 1-888-540-KIDS (5437) Monday – Friday between 7:30 a.m. to 7:30 p.m. Eastern Time. You may also send us an email at [email protected].