The U.S. Donor Health public health system recently disclosed a large-scale data breach that affected 1357879 people. Broward Health is a Florida-based health care system with more than thirty locations offering a wide range of medical services and receiving more than 60,000 admitted patients each year.
The healthcare system disclosed a cyberattack on October 15, 2021, when an intruder gained unauthorized access to the hospital's network and patient data. The group discovered the invasion four days later, On October 19, and immediately notified the FBI and the U.S. Department of Justice.
Meanwhile, all employees were advised to change their user passwords, and Broward Health signed up with a third-party cybersecurity expert to help conduct the investigation.
The investigation revealed that hackers who hacked into the website obtained the patient's personal medical information, which may include the following:
full name
Date of birth
Physical address
telephone number
Financial or banking information
Social Security Number
Insurance information and account number
Medical information and history
Condition, treatment and diagnosis
Driver's license number
Email address
While Broward Health confirmed that the hackers had leaked the aforementioned data, it noted that there was no evidence that they misused the data. Notably, the point of compromise was identified as a third-party medical institution that was allowed to enter the system to provide services.
"In response to this incident, Broward Health is taking steps to prevent the recurrence of similar incidents, including ongoing investigations, password resets that strengthen security measures across the enterprise, and implementing multi-factor authentication for all users of its systems," Broward Health explained in a data breach notification to affected patients and employees.
"We are also beginning to implement additional minimum security requirements for devices that access our network that are not managed by Broward Health Information Technology, which will take effect in January 2022."
Due to the critical nature of exposed data, recipients of notifications need to be vigilant about all forms of communication. In addition, the health care system is offering a two-year identity theft detection and protection service through Experian, with details of how to register.