Full Report
Skyler Shepard reports: State investigators say Mirra Health jeopardized the safety of thousands of Floridians by sharing their sensitive health data with unauthorized companies overseas. Florida Insurance Commissioner Mike Yaworsky suspended Mirra Health Care LLC on Tuesday after investigators found the company sent private medical information to unlicensed companies in India and the Philippines. Mirra Health handles important claims... Source
Analysis Summary
# Incident Report: Improper Outsourcing and Data Exposure by Mirra Health Care LLC
## Executive Summary
Mirra Health Care LLC, a third-party administrator for Medicare Advantage plans, was found to have jeopardized the sensitive health data of over 23,000 Floridians by outsourcing operations to unauthorized overseas companies. The Florida Office of Insurance Regulation (OIR) discovered that private medical information was transmitted to unlicensed entities in India and the Philippines without regulatory or client approval. Consequently, the Florida Insurance Commissioner has suspended the company’s operations due to systemic compliance failures and the unauthorized exposure of protected health information (PHI).
## Incident Details
- **Discovery Date:** March 2026 (Public announcement)
- **Incident Date:** Ongoing until discovery in 2026
- **Affected Organization:** Mirra Health Care LLC
- **Sector:** Healthcare (Medicare Advantage Administration)
- **Geography:** Florida, USA (Primary impact); India and the Philippines (Data destination)
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Duration of outsourcing contracts)
- **Vector:** Authorized Administrative Access (Insider/Policy Violation)
- **Details:** Mirra Health leadership intentionally shared sensitive Medicare member data with offshore partners to fulfill claims and enrollment functions.
### Lateral Movement
- **Details:** Not applicable in a traditional hacking sense; the data movement was an intentional business process bypass where internal data was shifted from secure, compliant environments to unvetted third-party systems overseas.
### Data Exfiltration/Impact
- **Details:** Sensitive health data, enrollment records, and medical information of approximately 23,000 Medicare Advantage members were transmitted to unlicensed companies in India and the Philippines.
### Detection & Response
- **Discovery:** State investigators from the Florida Office of Insurance Regulation (OIR) uncovered the unauthorized offshore activity during a regulatory investigation.
- **Response Actions:** On Tuesday, March 24, 2026, Florida Insurance Commissioner Mike Yaworsky suspended Mirra Health Care LLC’s license to operate.
## Attack Methodology
- **Initial Access:** Misuse of administrative authority by the organization.
- **Persistence:** Legitimate business relationship with offshore partners used as a cover for data transfer.
- **Defense Evasion:** Failure to provide required contracts to state investigators during the audit; failure to seek required approval from HMO clients.
- **Collection:** Gathering of Medicare member claims and enrollment data.
- **Exfiltration:** Systematic transfer of PHI to offshore, unlicensed entities.
- **Impact:** Regulatory suspension of business and massive exposure of vulnerable citizens' health data.
## Impact Assessment
- **Financial:** Massive potential fines from HHS OCR (HIPAA violations) and total loss of revenue due to license suspension.
- **Data Breach:** Exposure of sensitive medical and personal data for 23,000+ vulnerable individuals.
- **Operational:** Business operations suspended; Florida HMOs must now find alternative administrators.
- **Reputational:** Severe loss of trust with Medicare Advantage members and health maintenance organizations (HMOs).
## Indicators of Compromise
- **Behavioral indicators:** Transmission of high volumes of medical data to IP ranges located in India and the Philippines from Mirra Health servers.
- **Compliance indicators:** Lack of "Business Associate Agreements" (BAA) or approved offshore sub-contracts; missing documentation during regulatory audits.
## Response Actions
- **Containment:** Regulatory suspension of Mirra Health's license to prevent further unauthorized data sharing.
- **Eradication:** State-mandated seizure of records and termination of illegal offshore processing agreements.
- **Recovery:** Coordination between the OIR and Florida HMOs to ensure Medicare members continue to receive services through compliant channels.
## Lessons Learned
- **Third-Party Risk:** Organizations must realize that "outsourcing" does not mean "transferring liability."
- **Audit Deficiencies:** HMO clients may have failed to adequately audit their subcontractor (Mirra Health), allowing the unauthorized offshore work to go undetected for an extended period.
- **Documentation is Key:** The failure to produce contracts during a state audit is a major "red flag" for deeper compliance issues.
## Recommendations
- **Vendor Management:** Implement rigorous auditing of all third-party administrators, including "Right to Audit" clauses that involve physical and digital inspections.
- **Technical Safeguards:** Implement Geographic Blocking (Geo-blocking) and Data Loss Prevention (DLP) tools to flag or prevent the transfer of PHI to unauthorized geographic regions.
- **Compliance Training:** Ensure C-suite executives understand the legal ramifications of offshore data processing under HIPAA and state insurance laws.