On January 1, 2021, Broward Health announced it was the victim of a cyberattack involving data exfiltration that started on October 15, 2021. The attackers gained access to parts of its network that housed the personal and protected health information of patients and sensitive employee data.
The incident was detected on October 19, 2021, and steps were immediately taken to prevent further unauthorized access and a third-party cybersecurity firm was engaged to investigate and determine the nature and scope of the breach.
It was confirmed that an unauthorized individual had gained access to its network through the office of a third-party medical provider, which had been granted access to its network to provide healthcare services. The cyberattack was reported to the Department of Justice and a comprehensive review was conducted to determine which individuals had been affected and the types of data that may have been compromised.
The review revealed highly sensitive data had potentially been viewed and stolen in the attack, including names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, health information such as histories, diagnoses, and treatment information, health insurance information, financial/bank account information, and medical record numbers. It is currently unclear if the attacker exfiltrated the above types of information for all affected individuals. The breach report submitted to the Maine Attorney General indicates 1,357,879 individuals have potentially been affected.
Broward Health said that no reports have been received to date of any misuse of patient or employee information as a result of the breach. Still, affected individuals should be vigilant as the exfiltrated data may be used for fraudulent purposes.
Broward Health said the Department of Justice requested a short delay in announcing the breach and issuing notification letters so as not to interfere with the criminal investigation into the breach. Notification letters have now started to be sent and affected individuals have been offered complimentary credit monitoring and identity theft protection services for 2 years.
Broward Health says it has implemented new policies that require all devices not managed by its IT department to meet minimum standards for security before being granted access to its network, and those policies will take effect in January 2022. Multifactor authentication has also been implemented for all users of its systems.