The Broward Health public health system has disclosed a large-scale data breach incident impacting 1,357,879 individuals.
Broward Health is a Florida-based healthcare system with over thirty locations offering a wide range of medical services and receives over 60,000 admissions per year.
The healthcare system disclosed a cyberattack on October 15, 2021, when an intruder gained unauthorized access to the hospital’s network and patient data.
The organization discovered the intrusion four days later, on October 19, and immediately notified the FBI and the US Department of Justice.
At the same time, all employees were advised to change their user passwords, and Broward Health contracted a third-party cybersecurity expert to help with the investigations.
An investigation revealed that the threat actors gained access to patient’s personal medical information, which may include the following items:
- Full name
- Date of birth
- Physical address
- Phone number
- Financial or bank information
- Social Security number
- Insurance information and account number
- Medical information and history
- Condition, treatment, and diagnosis
- Driver’s license number
- Email address
Although Broward Health confirms that the network intruder has exfiltrated the above data, it notes that there is no evidence that the threat actors misused it.
Notably, the intrusion point was determined to be a third-party medical provider who was permitted access to the system to provide their services.
“In response to this incident, Broward Health is taking steps to prevent recurrence of similar incidents, which include the ongoing investigation, a password reset with enhanced security measures across the enterprise, and the implementation of multifactor authentication for all users of its systems,” explains the data breach notificaiton to affected patients and employees.
“We have also begun implementation of additional minimum-security requirements for devices that are not managed by Broward Health Information Technology that access our network, which will become effective in January 2022.”
Due to the critical nature of the exposed data, recipients of the notices need to remain vigilant against all forms of communication.
In addition, the healthcare system is offering a two-year membership of identity theft detection and protection services through Experian, with details on how to enroll enclosed in the letter.
Stolen data is often bartered privately in hidden dark web forums, so it could be too early to see signs of abuse in the wild, but that doesn’t mean the exposed individuals should get complacent.
Often, these large sets go through a time-consuming evaluation process to pick specific high-value targets for social engineering or phishing attacks. Therefore, a delay in exploiting the stolen data can be expected.
Source: www.bleepingcomputer.com