Data breaches are the unauthorized or illegal acquisition of computerized data that compromise information security or integrity. Most data breaches are motivated by financial gain, as cybercriminals target individuals and businesses. The most common data breach types in Florida are insider threats, malware, phishing, and ransomware attacks. According to the FBI IC3 report, Florida ranks second, behind California in the total number of victims of data breaches, and the loss experienced in millions of dollars.

Identity Theft Statistics

Identity Theft
State Rank (Reports per 100K Population)
Identity Theft Reports
Fraud & Other
State Rank (Reports per 100K Population)
Total Fraud & Other Reports
Total Fraud Losses
Median Fraud Losses

Top Ten Report Categories

Identity Theft
Imposter Scams
Credit Bureaus, Iformation Furnishers and Report Users
Debt Collection
Telephone and Mobile Services
Banks and Lenders
Auto Related
Online Shopping and Negative Reviews
Prizes, Sweepstakes and Lotteries
Internet Services

Top Identity Theft Types

Credit Card Fraud
Other Identity Theft
Loan or Lease Fraud
Bank Fraud
Phone or Utilities Fraud
Employment or Tax-Related Fraud
Government Documents or Benefits Fraud

Florida's Biggest Data Breaches


Independent Living Systems LLC

Independent Living Systems, based in Miami, provides clinical and third-party administrative services to care organizations, plans, and health providers. The organization experienced a data breach that affected 4.2 million people, including the elderly and special needs patients. The organization initially reported the case to the Office for Civil Rights in 2022. Its first estimates indicated only 501 were affected, but the investigation revealed the scope of the breach was much larger. The investigation was completed in January 2023, and ILS validated the results before giving notice to potentially affected individuals. Unfortunately, Independent Living Systems is currently facing class action lawsuits.


NationsBenefits Holdings

NationsBenefits Holdings provides flex cards, supplemental benefits, and member engagement to care organizations or health plans. In January 2023, hackers from Clop ransomware gained access to NationsBenefits' data systems and demanded payment, failure to which they would publish the stolen information. This attack affected a little over three million individuals. The company has since taken its MFT servers offline and transitioned to an alternative file transfer method that does not rely on the previous software used. Notification letters were also mailed to all affected individuals.


Florida Water System

In February 2021, a hacker tried to poison the Florida water system by using a remote access software platform shared by plant employees. The attacker entered the water treatment system and then proceeded to tamper with the Sodium Hydroxide and Lye levels by increasing them to 100 times their average level. Fortunately, the attack was intercepted by an employee who reduced the levels back safely. Due to the breach, the Miami Dade Water and Sewer Department gave a statement reassuring customers that it had initiated safeguards to protect water quality standards.


Florida Orthopedic Institute

The largest orthopedic providers in Florida fell victim to a ransomware attack in April 2020. Employees were prevented from accessing their computer systems and files following a ransomware attack. The attack affected 640,000 individuals, according to a third-party forensic investigation. A range of data was compromised, including dates of birth, Social Security numbers, as well as health insurance information. Patients were also notified of the breach. However, a class action lawsuit was initiated, alleging the provider did not initiate the proper safeguards to ensure patient data confidentiality. The claims entailed a breach of fiduciary duty and a violation of Florida's Deceptive and Unfair Trade Practices Act.


Florida Healthy Kids Corporation

The Florida Healthy Kids Corporation is an organization that provides dental and health insurance for children aged five through 18 in the state. It also issues federal Medicaid funds and state funds for health insurance programs. It announced a data breach experienced by its vendor, Jelly Bean Communications, in 2020. The vendor hosted the FHKC website at the time, leading to the exposure of online applicants' personal data as well as that of enrollees. Cybersecurity professionals found several vulnerabilities in the hosted platform and the supporting databases for the KidCare application.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach


Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.


Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.


Contain the Breach

Isolate the affected system to prevent further damage.


Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.


Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.


Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.


Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.


Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.


Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.


Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

For several years, Florida has required that companies experiencing data breaches report these incidents to the affected parties. This is covered under the Florida Information Protection Act, which indicates breaches of security as unauthorized access of data in electronic form. Personal information may include the following:

  1. First name or first initial and last names
  2. Financial, government, insurance, or medical identifiers
  3. User names or email addresses and passwords
  4. Security questions and their answers

It excludes data on an individual already made public by government institutions. Covered entities must also notify the Department of Legal Affairs concerning breaches affecting more than 500 Florida residents. The notice to this department has to include the following:

  1. A summary of the events concerning the breach
  2. Number of residents affected
  3. All services related to the violation offered by the covered entity and instructions on how to use them
  4. A copy of the notice provided to the individuals affected
  5. Name, address, telephone numbers, and email addresses of employees or agents of the covered entity.
  6. A police report or forensic statement of the incident
  7. A copy of the policies in place concerning breaches

Even when an organization has not experienced a breach or does not have electronic records, it is still subject to FIPA regulations. All organizations and entities must use precautions when disposing of customer data. FIPA breach requirements apply to electronic material, but consumer information may include paper or other physical media. All personal information must be disposed of appropriately by shredding, erasing, or other means to make the data unreadable.


  • Requirements for data security: each entity that is covered or a third-party agent is required to protect and secure data in electronic form with personal information.
  • If a company has experienced a data breach, it is required to act quickly to become compliant. Companies violating are subject to penalties from $1,000 a day to $500,000 per breach. That is if the organization does not issue the appropriate notice in time and continues to violate its obligation for more than 180 days.
  • Third parties, such as vendors that maintain personal information on behalf of the organization, only have ten days to notify them of a breach.
  • All covered entities are to notify each individual in Florida whose personal information was believed to have been accessed because of a breach. The notice to the affected parties should be made immediately without unreasonable delay.
  • According to section 817.5681, entities that do business in Florida and maintain computerized information with personal information in a system must give notice of the breach within 45 days. The personal information includes the first names, initials, last names, middle names, or any combination of the above. They also include Social Security numbers, driver's license numbers, credit card numbers, or any security codes.