Broward Health, one of the largest health systems in the United States with more than 30 healthcare facilities, disclosed on January 1, 2022, that it suffered a data breach during which it lost important personal and medical information of its patients and staff. An intruder hacked into the network on October 15, 2021, and accessed the names, birthdays, addresses, and medical information of over 1.3 million people. The breach was discovered by the organization on October 19, 2021.

While this adds to a long list of data breaches reported last year, cyber security attacks such as the Broward Health data breach are something that could happen to any organization. Hence, thorough investigation and detailed reporting are needed so that other enterprises can learn from the incident and take essential cautionary steps.

Here’s what we know so far:

How Did the Breach Happen?

While the exact details are still fuzzy, Broward Health has officially stated the root cause to be an “external system breach (hacking)”. Apparently, the breach occurred when a cyber intruder gained unauthorized access to its network through a third-party medical provider, which already had clearance. The National Law Review speculates that the breach occurred through the third-party provider’s device on which multi-factor authentication was not implemented.

The Impact

According to Broward Health’s submission to the Maine attorney general’s office, 1,357,879 people have been affected, out of which 473 are Maine residents. The threat actor has also acquired the names or other personal identifiers, along with drivers’ license numbers and other identification card numbers. This may include birthdays, addresses, phone numbers, banking information, Social Security numbers, email addresses, and insurance information, along with medical information of patients, including patient histories and treatment, diagnosis, and medical record numbers.

This information is sufficient for a threat actor to commit medical identity theft, wherein a person uses the credentials and information of another individual, without the latter’s knowledge or consent, to obtain medical products or services. The attackers can also create fake bills for medical services that have not been provided. Stolen credit card information opens doors to all kinds of financial frauds.

However, Broward Health has officially stated there has been no evidence that the stolen data was actually misused. They added that patient care was not disrupted or impacted at any time. Furthermore, a spokesperson for the organization told CNN in an email that the hackers did not make any ransom demand and that they have not paid any ransom.

Mitigation Measures

According to the official statement, when the breach was discovered on October 19, Broward Health immediately notified the FBI and the Department of Justice, which advised them not to notify the affected people right away in order to preserve the ongoing law enforcement investigation. They also engaged a cyber security firm to conduct an extensive investigation into the incident.

The health system has initiated these procedures to reduce the impact and prevent further incidents:

• A mandatory password reset for all employees at the health system.
• Implementation of multi-factor authentication, where just a password entry would not get users into the system. They would also have to enter a verification code that would be sent to their phones or email.
• Implementation of minimum-security requirements of devices that are not managed directly by the health system.

Broward Health had to wait a couple of months to make the data breach public due to the investigation. Now they have sent notice to all those affected, apprising them of the situation. They have assured their patients not to be alarmed and have made some offers to ensure no data misuse happens. Here are some:

• A complimentary two-year membership for a service that provides for medical identity theft detection and identity theft resolution.
• Free credit monitoring to detect any kind of fraud using stolen credit card information.
• An identity theft insurance coverage, with conditions applied, for certain unauthorized electronic fund transfers.

The health system has also urged the victims to regularly review the explanation of benefits statements they receive from their health plan to look for any signs of medical identity theft.

What Can Businesses Learn?

Even though no incident of data misuse from the breach at Broward Health has been reported yet, it does not mean it would not happen. Businesses must learn from the incident and be cautious while dealing with third-party service providers with access to the main system. Here are some measures organizations can undertake to avoid a similar breach:

• Businesses must provide system access to third-party services only if necessary.
• If they have to provide access, businesses should ensure the third-party services have already deployed effective security measures.
• Identify every user and device that has access to the network.
• Have a team of cyber security experts check the system for vulnerabilities and the scope for a breach.
• Have the incident response team ready to engage in case of a data breach, and inform the government authorities as soon as possible.

Breaches like this can happen to any organization, especially those who handle sensitive personal and financial information of their staff and clients. A cyberattack like this, especially in a privately-owned organization, can corrode the client’s trust and overall reputation. Not to mention the ensuing legal procedures and financial burden that come with the mitigation process. It’s important for organizations to stay updated on such incidents and learn what transpired so they can take appropriate measures to avoid such events in their own space.