A large-scale data breach affecting 1,357,879 people has been disclosed by the Broward Health public health system. Broward Health is a Florida-based healthcare organization with more than thirty facilities that provide various medical services and over 60,000 annual admissions.
On October 15, 2021, the healthcare system announced a cyberattack in which an attacker got illegal access to the hospital’s network and patient information. Four days later, on October 19, the organization detected the infiltration and quickly contacted the FBI and the US Department of Justice.
Meanwhile, all staff members were told to change their user passwords. Broward Health also hired a third-party cybersecurity expert to assist with the investigations. According to the examination, threat actors were able to get access to a patient’s confidential medical information, which might include the following:
-
Full name
-
Date of birth
-
Email address
-
Phone number
-
Physical address
-
Social Security number
-
Driver’s license number
-
Financial or bank information
-
Medical information and history
-
Condition, treatment, and diagnosis
-
Insurance information and account number
Although Broward Health admits that a network intruder stole the data mentioned above, it says there is no proof that the threat actors exploited it. The intrusion point was identified as a third-party medical provider who was given access to the system to perform their services.
“In response to this incident, Broward Health is taking steps to prevent recurrence of similar incidents, which include the ongoing investigation, a password reset with enhanced security measures across the enterprise, and the implementation of multifactor authentication for all users of its systems,” outlines the data breach notification to affected patients and staff.
“We have also begun implementation of additional minimum-security requirements for devices that are not managed by Broward Health Information Technology that access our network, which will become effective in January 2022.”
Because of the exposed data’s sensitive nature, recipients of the alerts must be wary of all kinds of communication. Furthermore, the healthcare system is giving a two-year subscription to Experian’s identity theft detection and protection services, with information on how to sign up included in the letter.
Stolen data is frequently traded on secret dark web forums, so it may be too early to notice signs of abuse in the wild, but that doesn’t mean those who have been exposed should relax. These enormous databases are frequently subjected to a time-consuming review procedure to choose specific high-value targets for social engineering or phishing attacks. As a result, a delay in using the stolen data is expected.