Dive Brief:

• The San Francisco Department of Public Health (DPH) told almost 900 patients at two city hospitals last week of a data breach that exposed their personal information late last year.
• DPH said the breach happened at Massachusetts-based Nuance Communications, which the agency contracted to provide medical transcription services. Data was accessed illegally between Nov. 20, 2017 and Dec. 9, 2017 by a former Nuance employee.
• The agency delayed its public notification at the request of the FBI and U.S. Department of Justice, which led criminal investigations into the matter. The Justice Department found that it did not appear any information had been used or sold.

Dive Insight:

It is not the first time this year that San Francisco’s cybersecurity has been in the news, although the problem again appears to have been resolved successfully without incident. Last month, the city’s Department of Technology announced it had fixed a security bug with its 114 emergency sirens. That fix and the swift response to this data breach at DPH indicates that San Francisco is trying to stay on top of keeping its records secure.

But this incident does keep the focus squarely on cities, which have a lot of data to manage and have traditionally not been as concerned about cybersecurity as the private sector. Atlanta Mayor Keisha Lance Bottoms said recently at the Smart Cities New York conference that a ransomware attack on the city came as a “surprise” to her staff and constituents, but that it forced an important conversation around cybersecurity.

Similar incidents have also happened to Baltimore’s 911 emergency system and Dallas’ emergency sirens. Though this latest breach did not appear to result in any information being sold to bad actors, it is clear hackers are looking for any avenue through which to enter secure systems, and cities must think carefully about their cyber resiliency.