2021 was another record-breaking year for healthcare data breaches. As of December 31, 2021, 686 healthcare data breaches had been reported to the HHS’ Office for Civil Rights that affected 44,993,618 individuals. That number is sure to grow over the coming days as the end-of-year breach reports are added to the HHS’ Office for Civil Rights breach portal.
While there are hopes that the number of breaches – and exposed records – will reduce in 2022, the year has not gotten off to a great start. On January 1, 2022, a major data breach was reported by Fort Lauderdale, FL-based Broward Health: the operator of 5 hospitals and several healthcare facilities in over 30 locations in Broward County.
On October 19, 2021, Broward Health’s IT department identified a security breach and immediately took steps to secure its network, including a password reset for all employees. An investigation was immediately launched to determine the nature and scope of the breach, with assistance provided by a third-party cybersecurity company.
The investigation confirmed that Broward Health’s network was first accessed by an unauthorized individual on October 15, 2021, through the office of a third-party healthcare provider. The healthcare provider had been granted access to its network to provide medical services.
Broward Health has confirmed that the attacker exfiltrated data from its network including files containing sensitive patient and employee information such as names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, health insurance information, financial/bank account information, driver’s license numbers, medical record numbers, and health information, including diagnoses, medical conditions, treatment information, and medical histories.
The breach report recently submitted to the Maine Attorney General indicates up to 1,357,879 individuals have been affected, including 473 Maine residents. Broward Health said it is unaware of any attempted or actual misuse of patient data at the time of issuing notification letters but affected individuals have been advised to check their accounts and statements for signs of misuse of their information. 24 months of credit monitoring and identity theft protection services have been offered to affected individuals.
The breach was promptly reported to the department of justice, which recommended delaying any announcements about the data breach so as not to interfere with the law enforcement investigation, hence the delay in issuing breach notification letters.
The provision of access to internal networks to third parties is necessary for healthcare operations but carries a risk. To reduce that risk, Broward Health said that from January 2022, all devices not managed by its IT department will have to meet new minimum-security standards prior to being granted access to its network. Multifactor authentication has also been implemented for all user accounts.