Information on more than 4,000 patients of DermCare Management and Apollo Medical Supply were exposed in two separate breaches, according to recent reports made to the Department of Health and Human Services.
They join 33 other Florida health care firms that have reported data breaches to the agency since July 2023, a federal report shows. The breaches potentially exposed the personal data of more than 6.7 million Florida patients.
That list includes Tampa General Hospital, which earlier this year agreed to pay $6.7 million to settle a class action lawsuit brought by some of the 2.1 million patients whose data may have been exposed in a 2023 hack.
Patient information is typically sold on the dark web and used for identity theft. But cyber criminals have also stolen money directly from health care firms too, including $3.6 million that was stolen from a nonprofit that runs behavioral health services in the Orlando area on behalf of the state.
The money was taken from a bank account of Central Florida Cares Health System in October 2023 after an employee cleared the cache on her computer.
She later Googled the name of a bank and entered the group’s password information into a website that turned out to be fraudulent, according to an Orange County Sheriff’s Office report.
Cyber criminals used that information to access the bank’s real website and stole $3.6 million via bank transfers, the report states. An unsuccessful attempt was also made to wire another $1.5 million.
In addition to local law enforcement, the theft was investigated by the Secret Service, said Maria Bledsoe, Central Florida Cares CEO. A woman in Texas has been indicted on charges of money laundering in a case linked to the theft.
“Of course it’s a shock,” Bledsoe said. “These individuals have gotten so savvy and creative.”
Central Florida Cares is contracted by the Florida Department of Children and Families to provide substance abuse and mental health services in Brevard, Orange, Osceola and Seminole counties.
The nonprofit was able to recoup $1.9 million from insurance policies and the theft did not impact its services, Bledsoe said.
To prevent another online theft the group has switched banks and added authentication processes for when accessing online banking services. It has also stepped up training for its employees and conducts spot checks to see if employees are falling for phishing emails, Bledsoe said.
It’s not the only Florida mental health services provider to be the target of hackers.
An unauthorized user gained access to computer servers of Thriving Mind South Floridain August 2023 and obtained internal files, the group reported. It provides mental health services in Miami-Dade and Monroe counties.
The breach may have exposed personal information of 225,000 patients including name, Social Security number, date of birth and other financial, medical and health insurance details, according to a class action lawsuit filed by victims in circuit court in Miami-Dade County.
Thriving Mind officials declined to comment for this story citing the pending litigation.
The Florida Department of Health was also the victim of hackers who last year posted more than 20,000 files onto the dark web that detailed HIV test results, detailed doctors’ notes and immunization and virus testing records.
Health care data can be a potential goldmine for hackers, said Hossain Shahriar, associate director and a professor at the Center for Cybersecurity at the University of West Florida.
In addition to personal information, data breaches often expose health insurance and medical details about patients. There is often also credit card or other financial information on file for payment of co-pays, he said.
Health care companies typically lag behind firms in the military or finance sector when it comes to investing in infrastructure that protects their data, Shahriar said. He’s heard of health firms that are still using old operating systems that have vulnerabilities.
He recommends health care companies invest more to protect patients’ data and also step up training since many breaches are the result of employees falling for phishing emails, messages that appear to be from their own company but may contain viruses or other malware.
“What happens in that healthcare industry is most of their focus and attention and even their budget allocations are mostly to serve the patients,” Shahriar said. “Even though the investment might be, let’s say, $10,000, believe me, that can save millions and millions of dollars of potential damage.”
Tampa General officials said that while their system was breached, defenses against hackers prevented them from encrypting its data, a common tactic used to extract ransom payments from companies.
Had the hacker been able to encrypt files, it would have significantly interrupted the hospital’s ability to provide care for patients, said spokesperson Amanda Bevis in an email.
“TGH considers the health, safety and privacy of patients and team members a top priority,” Bevis said. “The hospital is continuously updating and hardening systems to help prevent events such as this from occurring and has implemented additional defensive tools and increased monitoring.”
© 2025 Tampa Bay Times. Distributed by Tribune Content Agency, LLC.
