PHI Breach, Data Exfiltration at Broward Health Impacts 1.3 Million

January 04, 2022 - Florida-based health system Broward Health provided notice of an October 2021 healthcare data breach that exposed protected health information (PHI) and resulted in data exfiltration. The breach has not been posted to the Office for Civil Rights (OCR) data breach portal yet, but a submission to the office of the Maine attorney general revealed that the breach impacted 1,357,879 individuals.

Although the breach occurred on October 15, 2021, Broward Health stated in its announcement that the Department of Justice (DOJ) requested that the health system briefly delay notification to avoid interfering with an ongoing law enforcement investigation.

An unauthorized bad actor gained access to Broward Health’s network through the office of a third-party medical provider. The exposed information included Social Security numbers, phone numbers, birth dates, addresses, email addresses, financial account information, insurance information and account numbers, medical record numbers, and driver’s license numbers.

The hacker also gained access to medical information, including medical history, conditions, treatment, and diagnosis information.

The unauthorized party exfiltrated, or removed, the data from Broward Health’s systems, but there is currently no evidence that the information was misused.

Broward Health discovered the intrusion on October 19 and immediately contained the incident, notified the Federal Bureau of Investigation (FBI) and the DOJ, and engaged an independent cybersecurity firm to investigate the incident. The South Florida health system also required all employees to reset their passwords and hired a data review specialist to determine what data were impacted.

“Broward Health takes the protection of personal and medical information on its network very seriously,” the notice stated.

“We regularly review our systems as well as our privacy and security practices to enhance those protections. In response to this intrusion, Broward Health is taking steps to prevent recurrence of similar incidents, which include the ongoing investigation, a password reset with enhanced security measures across the enterprise, and the implementation of multifactor authentication for all users of its systems.”

The health system also said that it began implementing additional minimum-security requirements for devices not managed by Broward Health Information Technology with access to its network. The new requirements will go into effect in January 2022.

Broward Health is offering impacted employees and patients two years of free identity theft protection. The health system urged breach victims to be aware of the dangers of medical identity theft.

“Medical identity theft occurs when someone uses an individual’s name, and sometimes other identifying information, without the individual’s knowledge to obtain medical services or products, or to fraudulently bill for medical services that have not been provided,” the statement explained.

“We suggest that you regularly review the explanation of benefits statements that you receive from your health plan. If you see any service that you did not receive, contact the health plan at the number on the statement.”

Healthcare data breaches are likely to remain a trend going into the new year, even as many health systems bolster their cybersecurity practices. Last year, more than 550 organizations reported healthcare data breaches to HHS.