Florida Cybersecurity Breach Report 2025: $388M, 1.2M Records

A factual analysis of cybercrime losses, healthcare breaches, state-government incidents, and the Florida regulatory environment.

Published by BlueRadius Cyber | May 2026 | All figures sourced and footnoted

Executive Summary

Florida ranked third nationally in both internet crime complaints and reported losses in 2024 according to the FBI Internet Crime Complaint Center (IC3) 2024 Annual Report, trailing only California and Texas.[1][2] The state's senior population, Floridians aged 60 and older, reported $388 million in losses in 2024, the third-highest such figure of any state in the country.[3] On the healthcare side, the Florida Department of Health disclosed a 729,699-individual RansomHub ransomware breach in 2024 that exfiltrated Social Security numbers, banking information, medical records, and passport data from the Vital Statistics System.[4]

This report compiles publicly verifiable Florida-specific and Florida-relevant data on cybersecurity incidents, regulatory enforcement, and threat patterns from 2023 through early 2026. Every statistic is sourced and footnoted. For Florida mid-market organizations the picture is consistent: a state in the national top three for reported cybercrime, home to several large enterprises that have been at the center of major U.S. incidents (Carnival Corporation, Citrix, Tampa General Hospital), a healthcare sector that absorbed one of the largest state-government ransomware breaches in recent memory, and a new consumer privacy regime (the Florida Digital Bill of Rights) that took effect July 1, 2024.

Key Findings

Florida ranked #3 nationally in reported IC3 losses and complaints in 2024, behind California and Texas, with California leading at $2.54 billion and 96,265 complaints.[1][2]
$388 million in losses by Florida residents aged 60 and older in 2024, the third-highest such figure nationally after California ($832 million) and Texas ($489 million).[3]
729,699 Florida Department of Health individuals affected by a RansomHub ransomware intrusion disclosed June 26, 2024, with approximately 100 GB of data leaked after the state did not pay. The Vital Statistics System (birth and death certificates) was among the systems impacted.[4]
1.2 million Tampa General Hospital patients had data exfiltrated by the Snatch ransomware group during a May 12 to May 30, 2023 intrusion, including a subset whose Social Security numbers were exposed.[5]
Citrix (Fort Lauderdale, FL) disclosed CVE-2023-4966 ("Citrix Bleed") on October 10, 2023 with a CVSS score of 9.4. The vulnerability had been actively exploited as a zero-day since late August 2023 and was the entry vector for the Boeing, ICBC, Allen and Overy, DP World, and Fred Hutchinson Cancer Center intrusions later in 2023.[6]
$5 million NYDFS penalty against Carnival Corporation (Doral, FL) in June 2022 for cyber violations across four incidents between 2019 and 2021, plus a separate $1.25 million multistate Attorney General settlement covering data of approximately 180,000 customers and employees across 45 states.[7][8]
Florida Digital Bill of Rights (FDBR) took effect July 1, 2024, but with one of the narrowest scopes of any U.S. consumer privacy law: applies only to controllers with more than $1 billion in global annual revenue that also operate ad tech, smart speaker, or large app-store platforms.[9]
30-day Florida breach notification deadline under the Florida Information Protection Act (FIPA) of 2014, with Attorney General notification required for breaches affecting 500 or more Florida residents and civil penalties up to $500,000 per breach.[10]

Bottom line: Florida combines the third-largest cybercrime burden in the country with a healthcare and state-government sector that has produced multiple seven-figure-record breaches in the past 24 months, several of which originated from supply-chain vulnerabilities (Citrix Bleed, MOVEit, Oracle Health). The FDBR is narrowly scoped and most Florida mid-market organizations are out of scope, but the FIPA breach notification regime applies broadly and carries enforceable civil penalties. Mid-market organizations operating in Florida should prioritize the same three controls that have driven the largest Florida-relevant incidents: identity and access management hardening, vendor risk management with attention to file-transfer and remote-access tooling, and rehearsed breach response under FIPA's 30-day clock.

The Headline Numbers: Florida in the FBI IC3 2024 Annual Report

The FBI Internet Crime Complaint Center (IC3) publishes annual data on reported internet crime by state. The 2024 report was released in April 2025.[2]

National Context

Nationally, IC3 received 859,532 complaints in 2024 with reported losses exceeding $16.6 billion, a 33% increase over 2023.[2] More than 147,000 complaints were filed by people aged 60 and older nationally, with reported losses to that demographic reaching approximately $4.8 billion, a 43% year-over-year increase.[2] Investment fraud, largely cryptocurrency related, was the largest single loss category at more than $6.5 billion.[2]

Florida Breakdown

Florida ranked third nationally in both reported losses and complaint volume, behind California (first) and Texas (second).[1][2] Within the 60-and-older demographic Florida residents reported $388 million in losses in 2024, behind California's $832 million and Texas's $489 million.[3] Florida's national position reflects the state's combination of population, financial sector concentration (Carnival, Citrix, Office Depot/ODP, NextEra Energy all headquartered in Florida), and a large healthcare provider footprint (AdventHealth, Tampa General, Orlando Health, Baptist Health, University of Miami Health System).

Major Florida-Domiciled or Florida-Relevant Breaches (2023-2025)

Florida Department of Health: 729,699-Individual RansomHub Breach (Disclosed June 2024)

On June 26, 2024 the Florida Department of Health disclosed a ransomware intrusion by the RansomHub group that exfiltrated data on 729,699 individuals, according to the report filed with the U.S. Department of Health and Human Services Office for Civil Rights. The Vital Statistics System (birth and death certificate processing) was among the systems impacted. Exposed data categories included Social Security numbers, banking information, medical records, and passport data. After the state did not pay the ransom demand, approximately 100 GB of data was published to the RansomHub leak site.[4]

Tampa General Hospital: 1.2 Million Patients (May 2023, disclosed July 2023)

Between May 12 and May 30, 2023 the Snatch ransomware group exfiltrated data on approximately 1.2 million Tampa General Hospital patients, including names, addresses, phone numbers, dates of birth, medical record numbers, and treatment information. A subset of affected individuals had Social Security numbers exposed. Tampa General disclosed the incident in July 2023.[5] The incident remains one of the largest provider-level breaches reported by a Florida-headquartered hospital system.

Citrix (Fort Lauderdale, FL): CVE-2023-4966 "Citrix Bleed"

On October 10, 2023 Citrix, headquartered in Fort Lauderdale, Florida, disclosed CVE-2023-4966, a vulnerability in NetScaler ADC and Gateway products with a CVSS base score of 9.4. The vulnerability had been actively exploited as a zero-day since late August 2023. Major victims of Citrix Bleed exploitation included Boeing's commercial airplanes division, Industrial and Commercial Bank of China (ICBC), the international law firm Allen and Overy, DP World, and Fred Hutchinson Cancer Center.[6] Although Citrix itself was not the breach victim in those incidents, the vulnerability's origin in a Florida-headquartered vendor places it at the center of any Florida-specific 2023-2024 analysis.

Carnival Corporation (Doral, FL): NYDFS and Multistate Settlements

Carnival Corporation, headquartered in Doral, Florida, was the subject of two consequential regulatory actions tied to four cybersecurity incidents between 2019 and 2021. In June 2022 the New York Department of Financial Services imposed a $5 million penalty for cyber violations connected to those incidents.[7] A separate multistate Attorney General settlement, covering data of approximately 180,000 customers and employees across 45 states, totaled $1.25 million.[8] The Carnival incidents are frequently cited in board-level cyber risk briefings because the regulatory exposure was concentrated in NYDFS Part 500 enforcement, not in Florida or federal regulators.

AdventHealth and the Oracle Health Cascade (Disclosed Late 2025)

AdventHealth, headquartered in Altamonte Springs, Florida, began notifying patients in December 2025 of a breach traceable to the Oracle Health (formerly Cerner) January 2025 incident. The Oracle Health intrusion impacted multiple downstream healthcare provider customers and is reported separately to HHS OCR by each affected covered entity.[11] The AdventHealth notification is included here as one of the larger Florida-relevant disclosures in the reporting window.

National Public Data (Coral Springs, FL): Multi-Hundred-Million-Record Exposure

National Public Data, a consumer data broker headquartered in Coral Springs, Florida, confirmed on August 15, 2024 a breach exposing records of millions of U.S., U.K., and Canadian residents.[12] The breach involved a data set assembled from public records and other sources and was widely reported as one of the largest consumer-data exposures of 2024. The incident is particularly notable from a regulatory standpoint because the affected dataset combined names, addresses, Social Security numbers, and phone numbers in a single exposed file.

Suncoast Skin Solutions (Tampa Bay, FL): $825,000 Settlement Paying Out 2024

Following a July 2021 ransomware incident affecting approximately 70,000 patients of Suncoast Skin Solutions (Tampa Bay), an $825,000 class-action settlement began paying out to affected individuals on November 22, 2024.[13] The settlement is included here because the 2024 payout window places this dermatology-specific breach back in current Florida regulatory and class-action discussion.

University of Miami Health System: Insider Breach Disclosed June 2025

In June 2025 the University of Miami Health System disclosed an insider breach in which a terminated employee viewed more than 2,000 patient records between September 2022 and May 2025 without a legitimate business purpose.[14] The incident is included here because it illustrates that the dominant Florida healthcare breach pattern is not exclusively ransomware: insider-access incidents account for a meaningful share of HIPAA-reportable Florida events.

The Florida Regulatory Environment

Florida Digital Bill of Rights (FDBR)

The Florida Digital Bill of Rights (FDBR) took effect on July 1, 2024. The FDBR's scope is materially narrower than the comparable laws in California (CCPA/CPRA), Virginia (VCDPA), and Washington (My Health My Data Act). It applies only to controllers that exceed $1 billion in global annual revenue and meet at least one of the following additional criteria: more than 50% of revenue from selling online advertising, operating a consumer smart-speaker or voice-assistant service, or operating an app store or digital distribution platform with at least 250,000 distinct software applications available for consumer download.[9] HIPAA-covered entities, nonprofit organizations, and entities subject to the federal Gramm-Leach-Bliley Act are exempt.[9] In practice the FDBR applies to fewer than a dozen organizations operating in Florida.

Florida Information Protection Act (FIPA)

The Florida Information Protection Act of 2014, codified at Fla. Stat. 501.171, requires entities suffering a breach of personal information to notify affected Florida residents within 30 days of discovery and to notify the Florida Attorney General within 30 days if 500 or more Florida residents are affected by a single incident.[10] A 15-day extension is available for good cause. Civil penalties for violations are up to $500,000 per breach.[10] FIPA's 30-day window is materially tighter than the federal HIPAA Breach Notification Rule's 60-day deadline and aligned with the comparable Washington State requirement under RCW 19.255.

What This Means for Florida Mid-Market Organizations

Three implications follow directly from the data above.

1. Vendor risk is the dominant attack pattern. The Florida Department of Health (RansomHub), Tampa General (Snatch), and the Citrix Bleed cascade (Boeing, ICBC, Fred Hutchinson, and others) all turned on either a supply-chain pivot or a single-vendor exploit. Mid-market organizations operating in Florida should treat managed cybersecurity controls with explicit vendor-risk monitoring as table stakes rather than discretionary.

2. Healthcare exposure is concentrated and consequential. Florida's healthcare sector has produced two of the largest provider-level breaches affecting Florida residents in the past two years (Florida DOH at 729,699 and Tampa General at 1.2 million). Mid-market healthcare providers and business associates operating in Florida should pull healthcare cybersecurity controls, particularly identity hardening, third-party access reviews, and tested incident response, forward on the roadmap.

3. FIPA's 30-day window changes breach response economics. Tabletop exercises designed around a 60-day federal deadline do not match the Florida reality. Mid-market organizations should rehearse breach response under a 30-day clock with documented decision points for counsel engagement, forensic vendor activation, AG notification, and individual notification mailing. Florida's plaintiffs' bar is also active in post-breach class actions, as the Suncoast Skin Solutions $825,000 settlement that began paying out in November 2024 illustrates.

Frequently Asked Questions

What was Florida's national rank in IC3 2024?

Florida ranked third nationally in both reported internet crime complaints and reported losses in 2024, behind California (first) and Texas (second), according to the FBI Internet Crime Complaint Center 2024 Annual Report.[1][2]

How much did Florida seniors lose to cybercrime in 2024?

Florida residents aged 60 and older reported $388 million in internet crime losses in 2024, the third-highest such figure of any state behind California ($832 million) and Texas ($489 million).[3]

What is Florida's data breach notification deadline?

Under the Florida Information Protection Act of 2014 (Fla. Stat. 501.171), entities that suffer a breach of personal information must notify affected Florida residents within 30 days of discovery and must notify the Florida Attorney General within 30 days if 500 or more Florida residents are affected.[10]

What is the Florida Digital Bill of Rights and when did it take effect?

The Florida Digital Bill of Rights (FDBR) took effect July 1, 2024. Its scope is narrow: it applies only to controllers with more than $1 billion in global annual revenue that also operate online advertising, smart-speaker/voice-assistant, or large app-store platforms. HIPAA-covered entities, nonprofits, and Gramm-Leach-Bliley regulated entities are exempt.[9]

How many Florida Department of Health records were exposed in the 2024 breach?

The Florida Department of Health reported to HHS OCR that 729,699 individuals were affected by the June 2024 RansomHub ransomware intrusion. Approximately 100 GB of data was leaked to the RansomHub leak site after the state did not pay the ransom.[4]

How many Tampa General Hospital patients were affected by the 2023 breach?

Approximately 1.2 million patients of Tampa General Hospital had data exfiltrated by the Snatch ransomware group between May 12 and May 30, 2023. Tampa General disclosed the incident in July 2023.[5]

Engage a vCISO to Operationalize These Findings

The breach patterns documented above (vendor compromise, identity-infrastructure exploitation, ransomware double-extortion) are not solved by adding more security tools. They are addressed by a security program with clear leadership accountability for vendor risk, identity controls, and tested incident response. For mid-market organizations that do not have a full-time CISO, a fractional or virtual CISO arrangement provides this leadership at a fraction of the cost of a senior hire. BlueRadius's virtual CISO services embed a senior security leader into the organization to translate threat data of the kind in this report into board-defensible programs, with explicit accountability for vendor risk reviews, identity hardening, and rehearsed breach response under the relevant 30-day notification clock.

BlueRadius Research Library

Sourced research reports across the BlueRadius cybersecurity catalog. Every report below is footnoted to primary or established secondary sources, and each tracks a different slice of the threat and regulatory landscape facing mid-market organizations.

Sources

[1] Federal Bureau of Investigation, Internet Crime Complaint Center, "2024 Internet Crime Report," released April 23, 2025. ic3.gov.

[2] FBI press release announcing release of the 2024 Internet Crime Report. fbi.gov.

[3] WINK News, "Florida ranks high in internet crime losses, FBI report," citing the FBI IC3 2024 figures for Florida residents aged 60 and older. winknews.com.

[4] HIPAA Journal, "RansomHub Ransomware Group Behind Florida Department of Health Cyberattack." hipaajournal.com.

[5] HIPAA Journal, "Tampa General Hospital Says Hackers Exfiltrated the Data of 1.2 Million Patients." hipaajournal.com.

[6] Cybersecurity and Infrastructure Security Agency, "CISA Releases Guidance Addressing Citrix NetScaler ADC and Gateway Vulnerability CVE-2023-4966." cisa.gov.

[7] New York State Department of Financial Services, "DFS Superintendent Harris Announces $5 Million Penalty on Carnival Corp. for Violations of DFS Cybersecurity Regulation," June 24, 2022. dfs.ny.gov.

[8] Cybersecurity Dive, "Carnival pays $5M to NY for cybersecurity violations," covering the parallel multistate Attorney General settlement. cybersecuritydive.com.

[9] White and Case, "Florida Enacts Digital Bill of Rights, Joining Growing Privacy Landscape," summarizing FDBR scope and exemptions. whitecase.com.

[10] Florida Senate, Florida Statute 501.171 (Florida Information Protection Act of 2014). flsenate.gov.

[11] Becker's Hospital Review, "Oracle Health data breach ensnares AdventHealth." beckershospitalreview.com.

[12] Infosecurity Magazine, "National Public Data Confirms Breach." infosecurity-magazine.com.

[13] ClaimDepot, "Suncoast Skin Solutions Data Breach Settlement," documenting the $825,000 class action settlement and November 2024 payout schedule. claimdepot.com.

[14] HIPAA Journal, "Insider Breaches at Healthcare Providers in Florida and Massachusetts." hipaajournal.com.

Florida State Cybersecurity Breach Report 2025: $388M Senior Losses, 1.2M Tampa General Patients