Philly data breach that impacted health employee emails also hit other departments

Philadelphia’s Health Center #1 at Broad and Lombard streets. (Kimberly Paynter/WHYY)

Philadelphia’s Health Center #1 at Broad and Lombard streets. (Kimberly Paynter/WHYY)

The City of Philadelphia has released an update on an investigation into a data breach that left some employee email accounts accessible to unauthorized individuals.

The incident, initially identified in March 2020, was the result of an employee’s email account that was exposed due to a phishing attack. The breach impacted people receiving services from the Department of Behavioral Health and Intellectual disAbility Services, as well as Community Behavioral Health, a nonprofit contracted by the city to administer the behavioral health Medicaid program, HealthChoices.

The city’s investigation has revealed that the breach did impact other city employee emails in departments outside of DBHIDS, and that DBHIDS and CBH accounts were accessed without authorization between March 11 and Nov. 15, 2020. The investigation also showed that other city department emails were accessed from March 2020 to January 2021.

  • WHYY thanks our sponsors — become a WHYY sponsor

It appears the hack is connected to a series of attacks targeting health care and social service organizations and agencies during the pandemic. The city has yet to confirm whether emails and/or confidential email attachments were viewed due to the breach. The accounts affected had access to demographic and health-related information for people receiving services through DBHIDS and CBH, including names, dates of birth, addresses, account and medical record numbers, health insurance information, clinical information such as diagnosis names, and description of services the individual was receiving, and copies of birth certificates, driver’s licenses, and Social Security cards.

The city is reviewing what documents were accessible for other departments impacted by the incident, but investigators believe it is also personally identifiable information.

DBHIDS has been informing the affected individuals since last August, offering them credit and identity monitoring services free of charge. After CBH concluded its investigation in March, the organization also sent letters to people who were potentially impacted.

  • WHYY thanks our sponsors — become a WHYY sponsor

The city is now in the process of contacting individuals impacted outside of DBHIDS and CBH, and is encouraging residents to regularly check their bank accounts, credit card statements, and monitor health insurance claims for suspicious activity.

Officials say they have made “significant security improvements” as a result of this specific hack, and a general increase of cyber threats on local governments. A fall 2020 cyber attack on Delaware County’s computer network resulted in the county paying $25,000 in ransom. In October 2019, a Philadelphia Inquirer report revealed that a public data tool built by the city’s Department of Public Health to track hepatitis infections exposed the health records and other private information for thousands of people receiving medical care in the city.

Philadelphia has expanded its monitoring of network activity and added new tools to increase email security, including multi-factor authentication on all city email accounts.


Anyone who receives services from DBHIDS can call 1-855-763-0063 for more information and to answer any questions. CBH members can call 1-833-664-2001. If you are not affiliated with DBHIDS or CBH but received notice of the data breach will receive a contact number if they have any other questions.

Get daily updates from WHYY News!

WHYY is your source for fact-based, in-depth journalism and information. As a nonprofit organization, we rely on financial support from readers like you. Please give today.

Want a digest of WHYY’s programs, events & stories? Sign up for our weekly newsletter.

Together we can reach 100% of WHYY’s fiscal year goal