Broward Health hacked in October, delayed reveal at DOJ request

January 05, 2022
by Thomas Dworetzky, Contributing Reporter
On October 15, 2021, Broward Health network suffered a hack via “the office of a third-party medical provider permitted to access the system to provide healthcare services,” the organization said in a statement released January 3, 2022.

It also stated that the delay in announcing the breach was because, “the DOJ requested that Broward Health briefly delay this notification to ensure that the notification does not compromise the ongoing law enforcement investigation.”

The intrusion was spotted by Broward on October 19, 2021, was contained at that time, and the FBI and DOJ were notified at that point.

Security precautions were put in place that included a password reset for all employees, the hiring of a cybersecurity firm for an investigation, and the onboarding of a data-review specialist to assess the extent of the information theft.

Research revealed that thieves gained access to — and stole — personal medical information including name, date of birth, address, phone number, financial or bank account information, Social Security number, insurance information and account number, medical information including history, condition, treatment and diagnosis, medical record number, driver’s license number, and email address.

Broward did not address the number of people impacted in its release, but in a filing with the Maine attorney general's office, the organization put the total at 1,357,879.

Stating that it “takes the protection of personal and medical information on its network very seriously,” the organization advised that various steps have been taken to prevent a similar attack from taking place. Some of these include the implementation of multifactor authentication for all users of its systems and beefed-up security requirements for devices not managed directly by Broward's IT department that need access to its network.

To date, no misuse of the stolen data has been uncovered, but Broward advised those impacted that it would provide a complimentary two-year membership of Experian’s IdentityWorks, and that they should monitor accounts for unauthorized activities.

Medical facilities have become frequent cybercrime targets. On December 17, Capital Region Medical Center was hit by a brutal cyberattack.

"While our information security team is working diligently to bring our systems back online as quickly, and securely, as possible, nothing is more important to us than the health and safety of our patients and continuing to provide the care our patients expect," Lindsay Huhman, CRMC director of marketing and communications, stated at the time.

Despite the hard work, the attack continued to damage CRMC. As late as December 31, 2021, the impact was still being felt, according to a News Tribune report, although, “signs of recovery showed Thursday.” These included a phone system that was working better and the online reappearance of the hospital's website.

In November 2021, a report showed just how prevalent cyberattacks against healthcare providers have become. The report, by data security firm Medigate and cloud-based protection provider CrowdStrike, found that in the prior 18 months 82% of healthcare providers suffered an IoT cyberattack — and 34% of them were hit with ransomware.

There is no easy way around such demands, according to the findings in the study, titled "Healthcare IoT Security Operations Maturity – A Rationalized Approach to a New Normal.” Fully 33% paid the ransom, but only 69% of those reported that doing so led to the full restoration of their data.