A major data breach was reported by Florida’s Broward Health on January 1, 2022, that involved the personal and protected health information of more than 1.3 individuals. Hackers gained access to its network on October 15, 2021, through the office of a third-party healthcare provider that had been granted access to Broward Health’s network to provide medical services.
The cyberattack was detected four days later on October 19, 2021, and access to the network was immediately blocked and a password reset was performed for all user accounts. A third-party cybersecurity firm was then engaged to conduct an investigation, which confirmed that data had been exfiltrated from its network.
A comprehensive review of the files stored on the parts of the network that were accessed confirmed they contained patient and employee data including names, email addresses, phone numbers, addresses, dates of birth, medical record numbers, Social Security numbers, health insurance information, financial/bank account information, driver’s license numbers, and health information such as diagnosis, conditions, treatment information, and medical histories.
The breach was reported to the Department of Justice, which requested a short delay in announcing the breach to avoid hampering the law enforcement operation. Notification letters are now being sent to affected individuals, who have been offered a complimentary 2-year membership to credit monitoring and identity theft protection services with Experian.
Since sensitive information has been stolen, affected individuals have been advised to closely monitor their accounts and explanation of benefits statements for signs of fraudulent activity. At the time of issuing notifications, no reports have been received of any cases of actual or attempted misuse of the stolen data.
The Fort Lauderdale-based hospital system said it regularly reviews its privacy and security practices and takes steps to enhance protections. Following the breach, further measures have been implemented, including multifactor authentication for all user accounts and a new policy that requires all devices not managed by the IT department to meet minimum security standards before being granted access to the network.
The breach report has not yet appeared on the HHS’ Office for Civil Rights breach portal but has been reported to the Maine Attorney General as affecting 1,357,879 individuals.