Over the weekend, Florida's Broward Health hospital system disclosed a data security incident that compromised the personal and medical information of over 1.3 million patients and staff.
According to a statement published on the Broward Health website, the data breach occurred on Oct. 15, when an unknown attacker accessed its network via an undisclosed third-party medical provider.
"An intruder gained entry to the Broward Health network through the office of a third-party medical provider permitted to access the system to provide healthcare services,” the data breach notification reads. “Broward Health discovered the intrusion on October 19, 2021, and promptly contained the incident, notified the FBI and the Department of Justice (DOJ), required a password reset for all employees and engaged an independent cybersecurity firm to conduct an investigation.”
Broward Health did not say in its public statement how many patients and employees were affected, but a data breach submission to the Maine Attorney General's office lists 1,357,879 impacted individuals.
Officials also noted that the delay in notifying affected individuals was necessary, and requested by the Department of Justice (DoJ) to ensure it did not compromise an ongoing police investigation.
So far, the investigation has revealed that the threat actor stole personally identifiable information (PII) and personal health information (PHI), including name, birth date, address, phone number, financial or bank account information, Social Security number, insurance information and account number, driver's license number, email address, medical history, condition, treatment and diagnosis and medical record number.
As a result, Broward Health is offering a 24-month subscription to an identity theft protection service, and said it has implemented two-factor authentication for all users, and "minimum-security requirements for devices not managed by Broward Health Information Technology with access to its network."
Plan your data breach recovery
Personal health information collected or created by healthcare entities are highly desirable in the cybercriminal community. Health information has a very long shelf life. Actually, it never changes, and malicious actors can easily monetize the data to conduct medical identity theft and other fraudulent activity. On top of stealing medical services and benefits from victims, a malicious actor can misuse patient data to conduct targeted extortion and blackmail attacks via email, phone or text.
If you’re a victim of a medical data breach, keep an eye on all your medical bills and review medical records for suspicious entries. You should also be wary of any unsolicited emails or suspicious messages, and immediately notify your healthcare provider of any unrecognized entries. Fraudulent charges or threats should immediately be reported to your local authorities.
Data breaches are a constant reminder that we shouldn’t rely on others to take care of our information. While there is no bulletproof solution to keep your data breach-free, knowing when and how to respond to a data breach can go a long way in preventing financial damages and speeding up your recovery process.
Bitdefender Digital Identity Protection is a privacy-focused service that helps you manage your digital footprint. You get real-time data breach notifications and learn about the information that you knowingly and unknowingly left behind online. The service only uses your email address and phone number to check for possible privacy-related issues and alerts you whenever data associated with your online accounts is leaked.