The City of Philadelphia has revealed that the information of certain individuals was stolen in a cyberattack earlier this year.
The malicious activity, the city says in an incident notification (PDF) on its website, was initially identified on May 24, and involved its email environment.
According to the city, the investigation into the matter has revealed that an unauthorized party had access to certain city email accounts between May 26 and July 28, and that the information within those accounts was also accessed.
“Also, on August 22, 2023, we became aware that the at-issue email accounts include email accounts that may contain protected health information,” the City of Philadelphia said.
The investigation into the incident is ongoing and the city is reviewing the potentially impacted information manually, to determine the extent of the incident.
To date, the investigation has revealed that personal information (including names, addresses, dates of birth, Social Security numbers), health information (diagnosis and other treatment related information), and financial information might have been compromised in the attack.
“The types of information impacted vary by individual,” the incident notification reads.
The city says it has notified the US Department of Health and Human Services of the attack, and that it has also taken steps to improve the security of its network and email systems.
The City of Philadelphia has yet to share details on the number of impacted individuals and whether other types of data were also exposed in the incident.
Related: Salesforce Email Service Zero-Day Exploited in Phishing Campaign
Related: Russian APT Group Caught Hacking Roundcube Email Servers
Related: Email Hack Hits 15,000 Business Customers of Australian Telecoms Firm TPG
