Broward Health’s public health system has revealed a large-scale data breach incident affecting 1,357,879 people.
Broward Health is a Florida-based healthcare system with over thirty sites providing a wide range of medical services and receiving over 60,000 admissions per year.
The healthcare system revealed a cyberattack on October 15, 2021, when an intruder gained unauthorized access to the hospital network and patient data.
The organization discovered the intrusion four days later, on October 19, and immediately notified the FBI and the US Department of Justice.
At the same time, all employees were asked to change their user passwords, and Broward Health hired a third-party cybersecurity expert to help with investigations.
An investigation found that the perpetrators had access to the patient’s personal health information, which may include the following:
- Full Name
- Date of Birth
- Physical address
- Phone number
- Financial or banking information
- Social Security number
- Insurance information and account number
- Medical information and history
- Condition, treatment and diagnosis
- Driver’s license number
- E-mail address
Although Broward Health confirms that the network intruder exfiltrated the above data, it notes that there is no evidence that the threat actors misused it.
Notably, the point of intrusion was determined to be a third party medical provider authorized to access the system to provide its services.
“In response to this incident, Broward Health is taking action to prevent a recurrence of similar incidents including the ongoing investigation, a password reset with enhanced security measures throughout the company and the implementation. multi-factor authentication for all users of its systems ”explains data breach notification to affected patients and employees.
“We have also started implementing additional minimum security requirements for devices that are not managed by Broward Health Information Technology that access our network, which will take effect in January 2022.”
Due to the critical nature of the data exposed, recipients of notifications should remain vigilant against all forms of communication.
In addition, the health system offers a two-year subscription to identity theft detection and protection services through Experian, with details on how to enroll included in the letter.
Stolen data is often traded privately in hidden forums across the dark web, so it may be too early to see signs of abuse in nature, but that doesn’t mean those exposed need to be complacent.
Often, these large ensembles go through a tedious assessment process to choose specific high-value targets for social engineering or phishing attacks. We can therefore expect a delay in the exploitation of the stolen data.