South Florida-based Broward Health public health system has revealed a large-scale data breach incident impacting more than 1.3 million patients and staff members.
The leak data included names, addresses, contact numbers, Social Security numbers, bank details, Insurance data, medical history such as condition, diagnosis, medical history, treatment, and medical record number, and driver’s license number of patients and staff members.
Broward healthcare system which operates over thirty locations provides a wide range of medical services and receives over 60,000 admissions per year. The security breach was announced on January 1, 2022, when the healthcare system revealed that unauthorized access to a third-party medical provider resulted in patient and employee data being compromised.
On October 15, 2021, threat actors accessed the healthcare system’s network through a third-party medical provider. The organization discovered the intrusion four days later, on October 19, and instantly reported the FBI and the US Department of Justice. The DOJ requested Broward Health officials to hold off on sending out breach notification letters to ensure that it does not impact the ongoing law enforcement investigation.
Although Broward Health acknowledges the data breach but denies the reports of threat actors misusing the data. Notably, the intrusion point was determined to be a third-party medical provider who was permitted access to the system to provide their services.
"In response to this incident, Broward Health is taking steps to prevent recurrence of similar incidents, which include the ongoing investigation, a password reset with enhanced security measures across the enterprise, and the implementation of multifactor authentication for all users of its systems. We have also begun implementation of additional minimum-security requirements for devices that are not managed by Broward Health Information Technology that access our network, which will become effective in January 2022," explains the data breach notification.
To mitigate further risks, all employees were recommended to reset their passwords, and Broward Health contracted a third-party cybersecurity expert to help with the investigations. The organization has also executed multi-factor authentication on all systems, and has started implementing “minimum-security requirements for devices that are not managed by Broward Health Information Technology that access our network, which will become effective in January 2022.”
Due to the critical nature of the leaked data, recipients of the notices need to remain vigilant against all forms of communication. Additionally, the hospital is offering a two-year membership of identity theft protection services via Experian, with details on how to enroll enclosed in the letter.
