Broward Health, a healthcare system in South Florida, suffered a data breach in October 2021 that impacted patient and employee personal information. 


The personal medical information accessed included name, date of birth, address, phone number, financial or bank account information, Social Security number, insurance information and account number, medical information including history, condition, treatment and diagnosis, medical record number, driver’s license number and email address. This personal information was exfiltrated (removed from Broward Health’s systems); however, there is no evidence that the information was actually misused. 


In a data breach notification to the Office of the Maine Attorney General, Broward Health said 1,357,879 were affected by the breach.


On October 15, 2021, attackers accessed the healthcare system’s network through a third-party medical provider. Broward Health discovered the intrusion on October 19, 2021, and quickly contained the incident, notified the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), reset all employee passwords and engaged an independent cybersecurity firm to conduct the investigation. The DOJ requested that Broward Health delay the notification to ensure that it does not compromise the ongoing law enforcement investigation. 


A data review specialist conducted an extensive analysis of the data to determine what was impacted, which determined that some patient and employee personal information may have been impacted. 


While Broward Health has no evidence that employee or patient information has been used to commit fraud, patients and staff should take steps to protect against medical identity theft. This type of theft occurs when someone uses an individual’s name and sometimes other identifying information without the individual’s knowledge to obtain medical services or products or to fraudulently bill for medical services that have not been provided, Broward Health says. 


According to Broward Health, they have taken several steps to enhance security measures across the enterprise, including implementing multi-factor authentication for all users of its systems. Additional minimum-security requirements for devices not managed by Broward Health Information Technology (IT) with access to its network have also been implemented.


Adir Gruss, vice president of technical solutions at Laminar, says, “Organizations must take a data-centric approach to security in order to uplevel overall risk posture. The biggest challenge impeding data security teams today is that as more and more organizations move toward the cloud, they have lost track of where sensitive data resides. You simply cannot protect what you don’t know about. In order to protect against a majority of today’s cyberattacks, IT teams must prioritize visibility into cloud data, including supply chain access. With that knowledge, data protection teams can move from gatekeepers to enablers.”


Steve Moore, chief security strategist at Exabeam, notes, “No matter how robust your security stack is, your organization can still be vulnerable to intrusions stemming from compromised credentials — especially those that belong to third-party vendors and partners. According to the Verizon 2021 Data Breach Investigations Report, over 80% of breaches involve brute force attacks or the use of lost or stolen credentials. Giving network access to third parties only increases risk. As a result, even the best organizations must manage this problem perfectly to avoid adverse outcomes as well as ensure that partners are up to the same security standards, and perfect is difficult. Proper training, feedback loops, visibility, and effective technical capabilities are the keys to managing the risk of compromised insiders and external adversaries to protect important health information.


Moore adds, “A helpful defender capability is the development of a baseline for normal employee and third-party vendor behavior that can assist organizations with identifying compromised credentials and related intrusions. If you can establish normal behavior first, only then can abnormal be known — a great asset in uncovering unknowingly compromised credentials.”