The healthcare sector continues to be a high priority target for malicious threat actors, as it has been throughout the pandemic.
The industry is strained by so many factors that proper cybersecurity protocols can be overlooked, presenting an opportunity for threat actors to try to turn a quick buck.
Broward Health, a large healthcare system in South Florida, disclosed a data breach that impacts more than 1.3 million of its patients.
In a breach notification letter to patients whose personal information was compromised, the healthcare organization discussed the incident:
"On October 15, 2021, an intruder who gained unauthorized access to the Broward Health network may have accessed some of your personal information. Broward Health discovered the intrusion on October 19, 2021. Broward Health promptly contained the incident upon discovery, notified the FBI and the Department of Justice (DOJ), required all employees to update their passwords and engaged an independent cybersecurity firm to conduct an extensive investigation into the incident.
The investigation determined the intrusion occurred through the office of a third-party medical provider who is permitted access to the system to provide healthcare services. Broward Health also engaged an experienced data review specialist to conduct an extensive review of the data, which determined that your personal medical information was included in data accessed by the intruder. We are alerting you to this situation now that the involvement of your personal medical information has been confirmed."
The letter is dated January 1, 2022, which might make some wonder why the organization waited nearly three months to notify its patients, but there is a legitimate reason:
"The DOJ requested that Broward Health briefly delay this notification to ensure that the notification does not compromise the ongoing law enforcement investigation."
What information was compromised in Broward Health data breach?
Unfortunately for Broward Health and its patients, the personal data involved in the breach is quite extensive.
The healthcare provider reports that the following information was accessed: name, date of birth, address, phone number, financial or bank account information, Social Security number, insurance information and account number, medical information (including history, condition, treatment, and diagnosis), medical record number, driver license number, and email address.
However, the organization points out that there is no evidence the information was misused by the threat actor—at least not yet.
How is Broward Health handling the incident?
Broward Health is already taking steps to ensure that an incident similar to this doesn't happen in the future.
These steps include "the ongoing investigation, a password reset with enhanced security measures across the enterprise, and the implementation of multifactor authentication for all users of its systems."
It also started the implementation of additional minimum-security requirements for devices that are not managed by Broward Health's IT team that access its network, which will become effective in January 2022.
On top of this, the organization is offering a free two-year membership to Experian's IdentityWorks, which helps protect against identity theft.
This could be a very helpful move for those whose information has been impacted, because sometimes the effects of a data breach are not seen for an extended period of time.
The stolen data can be bought and sold on the Dark Web, and in some cases it could be years after an incident that an individual's information is used for a social engineering attack or financial fraud.
For more information, you can see the data breach notification from Broward Health.