Broward Health announced that an intruder had accessed its network through the office of a third-party medical provider.
This post originally appeared on Health IT News, January 4, 2022.
Florida-based Broward Health announced this weekend that a data incident in October had affected the personal information of more than 1.3 million patients and staff members.
According to a notice posted to the health system's website, an intruder accessed its network through the office of a third-party medical service provider.
A report to the Maine Attorney General said that 1,357,879 people had been affected by the incident.
"No matter how robust your security stack is, your organization can still be vulnerable to intrusions stemming from compromised credentials – especially those that belong to third-party vendors and partners," Steve Moore, chief security strategist at Exabeam, said in a statement to Healthcare IT News.
Why it matters
The details of the attack, including any suspected perpetrator identities, were not made public.
However, Broward did say that the intruders had access to its system from Oct. 15–19. Upon discovery, said the health system, it "promptly contained the incident, notified the FBI and the Department of Justice, required a password reset for all employees and engaged an independent cybersecurity firm to conduct an investigation."
"Broward Health also engaged an experienced data review specialist to conduct an extensive analysis of the data to determine what was impacted, which determined some patient and employee personal information may have been impacted," it continued.
According to Broward, the DOJ requested that it delay notifying the public of the incident to reduce potential compromise of the investigation.
The attackers removed personal medical information from Broward's systems, including:
- Date of birth.
- Phone number.
- Financial or bank account information.
- Social Security number.
- Insurance information and account number.
- Medical information, including history, condition, treatment and diagnosis.
- Medical record number.
- Driver's license number.
- Email address.
"While Broward Health has no indication that your personal information has been used to commit fraud, we recommend that you consider steps to protect yourself from medical identity theft," said the health system.
Broward Health said it is taking steps to prevent a similar incident from taking place in the future, including minimum-security requirements for devices not managed by Broward Health information technology with network access.
Experts reiterated the importance of safeguarding potential vulnerabilities in an organization's cybersecurity landscape.
"Giving network access to third parties only increases risk," said Moore. "As a result, even the best organizations must manage this problem perfectly to avoid adverse outcomes as well as ensure that partners are up to the same security standards, and perfect is difficult."
"Proper training, feedback loops, visibility and effective technical capabilities are the keys to managing the risk of compromised insiders and external adversaries to protect important health information," he said.
The larger trend
The incident is the latest in a long string of cyberattacks last year.
During the holiday season, multiple organizations reported incidents (although some had, like Broward's, taken place in the months prior). Some CompuGroup Medical employees, for example, appeared to be spending the last few weeks of 2021 fighting to get systems back online fully.
On the record
"Organizations must take a data-centric approach to security in order to up-level overall risk posture," said Adir Gruss, vice president of technical solutions at Laminar.
"The biggest challenge impeding data security teams today is that as more and more organizations move toward the cloud, they have lost track of where sensitive data resides. You simply cannot protect what you don't know about," Gruss said.
InfoSystems brings decades of experience in the healthcare sector, executing optimal solutions for enterprise cybersecurity, as well as managing IT infrastructure and optimization demands to position an enterprise for growth and innovation. Request a free consultation today.
For over 25 years, InfoSystems has provided reliable IT solutions to build and maintain strong and secure systems for both SMB and enterprise organizations. Headquartered in Chattanooga, TN, our trusted team of experts specialize in traditional infrastructure, IT optimization and cybersecurity services, as well as next gen solutions such as hybrid cloud and automation, from partners such as IBM, Red Hat, Dell Technologies, Microsoft and VMware.