The southwest Florida health system was attacked by hackers on 15th November 2021, potentially exposing personal and sensitive information on 1.3 million patients and members of staff.
According to reports, there is no evidence that the stolen information has been misused, and there did not appear to be any ransom demand or payments. However, Broward are offering 24 months of identity theft protection for any impacted patients.
Following the attack, the hospital system has implemented Multi Factor Authentication (MFA) for all users of its systems and set minimum-security requirements for devices not managed by Broward Health Information Technology that have access to their network.
Healthcare organisations continue to be a target for cybercriminals with the number of attacks increasing during the COVID-19 pandemic. The main reason why the industry is targeted so frequently, is the value of personal data that healthcare providers keep.
The health system said it discovered the intrusion four days later, on Oct. 19, and contained the incident, then notified the FBI and the Department of Justice (DOJ). Broward Health said it waited months to notify victims and make the breach public because the DOJ told them to hold off on sending out breach notification letters to preserve an ongoing law enforcement investigation, the health system said. The health system also immediately required a password reset for all employees and engaged an independent cybersecurity firm to conduct an investigation. Broward Health engaged an experienced data review specialist to conduct an extensive analysis of the data to determine what was impacted, which determined patient and employee personal information may have been impacted. The hackers accessed names, birthdays, addresses, banking information, Social Security numbers, drivers’ license numbers, patient histories and treatment/diagnosis records.