Florida-based Broward Health announced this weekend that a data incident in October had affected the personal information of more than 1.3 million patients and staff members.
According to a notice posted to the health system’s website, an intruder accessed its network through the office of a third-party medical service provider.
A report to the Maine Attorney General said that 1,357,879 people had been affected by the incident.
“No matter how robust your security stack is, your organization can still be vulnerable to intrusions stemming from compromised credentials – especially those that belong to third-party vendors and partners,” noted Steve Moore, amino acid pills or protein powder chief security strategist at Exabeam, in a statement to Healthcare IT News.
WHY IT MATTERS
The details of the attack, including any suspected perpetrator identities, were not made public.
However, Broward did say that the intruders had access to its system from October 15 through October 19. Upon discovery, said the health system, it “promptly contained the incident, notified the FBI and the Department of Justice, required a password reset for all employees and engaged an independent cybersecurity firm to conduct an investigation.”
“Broward Health also engaged an experienced data review specialist to conduct an extensive analysis of the data to determine what was impacted, which determined some patient and employee personal information may have been impacted,” it continued.
According to Broward, the DOJ requested that it delay notifying the public of the incident so as to reduce potential compromise of the investigation.
The attackers removed personal medical information from Broward’s systems, including:
- Date of birth
- Phone number
- Financial or bank account information
- Social Security number
- Insurance information and account number
- Medical information, including history, condition, treatment and diagnosis
- Medical record number
- Driver’s license number
- Email address
“While Broward Health has no indication that your personal information has been used to commit fraud, we recommend that you consider steps to protect yourself from medical identity theft,” said the health system.
Broward Health said it is taking steps to prevent a similar incident from taking place in the future, including minimum-security requirements for devices not managed by Broward Health information technology with network access.
Experts reiterated the importance of safeguarding potential vulnerabilities in an organization’s cybersecurity landscape.
“Giving network access to third parties only increases risk,” said Moore. “As a result, even the best organizations must manage this problem perfectly to avoid adverse outcomes as well as ensure that partners are up to the same security standards, and perfect is difficult.”
“Proper training, feedback loops, visibility, and effective technical capabilities are the keys to managing the risk of compromised insiders and external adversaries to protect important health information,” he said.
THE LARGER TREND
The incident is the latest in a long string of cyber attacks last year.
During the holiday season, multiple organizations reported incidents (although some had, like Broward’s, taken place in the months prior). Some CompuGroup Medical employees, for example, appeared to be spending the last few weeks of 2021 fighting to get systems fully back online.
In 2021 alone, healthcare organizations reported breaches compromising more than 40 million total patient records – and experts say cyber criminals likely aren’t going anywhere.
ON THE RECORD
“Organizations must take a data-centric approach to security in order to uplevel overall risk posture,” said Adir Gruss, vice president of technical solutions at Laminar.
“The biggest challenge impeding data security teams today is that as more and more organizations move toward the cloud, they have lost track of where sensitive data resides. You simply cannot protect what you don’t know about,” Gruss said.
Kat Jercich is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
Source: Read Full Article