Jackson Health System Hit by Five-Year Insider Data Breach Affecting 2,000 Patients
Jackson Health System (JHS), Miami-Dade County’s public hospital network, disclosed a data breach involving the unauthorized access of over 2,000 patients’ personal and medical records by an employee. The breach, which spanned nearly five years from July 2020 to May 2025 was carried out by a staff member who exploited the data to promote a personal healthcare business.
The exposed information included patient names, birth dates, addresses, medical record numbers, and clinical details, though Social Security numbers were not compromised. JHS terminated the employee upon discovering the breach but did not specify which of its facilities was involved or why the unauthorized access went undetected for so long.
This incident marks the second time in less than a decade that JHS has faced a prolonged insider breach. In 2016, the system reported a similar five-year unauthorized access case, leading to a 2019 settlement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The OCR’s investigation at the time found systemic failures, including delayed breach notifications, inadequate risk analyses, and insufficient access controls. JHS paid a $2.15 million civil penalty but was not required to implement a corrective action plan.
The latest breach raises questions about whether JHS has addressed the vulnerabilities identified in the 2019 settlement, particularly regarding monitoring and access restrictions. The OCR has not yet indicated whether it will launch a new investigation.
Jackson Health System cybersecurity rating report: https://www.rankiteo.com/company/jackson-health-system
"id": "JAC1768378265",
"linkid": "jackson-health-system",
"type": "Breach",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '2000+ patients',
'industry': 'Healthcare',
'location': 'Miami-Dade, Florida, USA',
'name': 'Jackson Health System',
'type': 'Healthcare Provider'}],
'attack_vector': 'Unauthorized Access by Employee',
'customer_advisories': 'Public disclosure via press release',
'data_breach': {'number_of_records_exposed': '2000+',
'personally_identifiable_information': 'Names, birth dates, '
'addresses, medical '
'record numbers, '
'clinical details',
'sensitivity_of_data': 'High (PHI - Protected Health '
'Information)',
'type_of_data_compromised': 'Personal and medical data'},
'date_detected': '2025-05',
'description': 'An employee of Jackson Health System accessed personal data '
'of over 2,000 patients to promote a personal healthcare '
'business. The breach spanned nearly five years, from July '
'2020 to May 2025, and included patient names, birth dates, '
'addresses, medical record numbers, and clinical details. '
'Social Security numbers were not compromised.',
'impact': {'brand_reputation_impact': 'Significant',
'data_compromised': 'Patient names, birth dates, addresses, '
'medical record numbers, clinical details',
'identity_theft_risk': 'Moderate',
'legal_liabilities': 'Potential regulatory fines',
'operational_impact': 'Reputation damage, regulatory scrutiny',
'systems_affected': 'Patient record systems'},
'investigation_status': 'Ongoing (internal investigation completed)',
'lessons_learned': 'Insufficient access controls, lack of regular audits, and '
'delayed breach detection contributed to the incident. '
'Previous regulatory actions did not enforce corrective '
'measures.',
'motivation': 'Personal business promotion',
'post_incident_analysis': {'root_causes': 'Insufficient access controls, lack '
'of regular audits, delayed breach '
'detection, and failure to enforce '
'corrective measures from prior '
'incidents'},
'recommendations': 'Implement stricter access controls, conduct regular '
'audits, enhance monitoring of employee access to '
'sensitive data, and enforce corrective action plans '
'post-incident.',
'references': [{'source': 'The Miami Herald'}],
'regulatory_compliance': {'fines_imposed': 'Potential (previously fined '
'$2.15M in 2019)',
'regulations_violated': ['HIPAA']},
'response': {'communication_strategy': 'Public disclosure via press release',
'containment_measures': 'Employee termination'},
'threat_actor': 'Insider (Employee)',
'title': 'Jackson Health System Insider Data Breach',
'type': 'Insider Threat',
'vulnerability_exploited': 'Insufficient access controls and monitoring'}