Hospital Cybersecurity Attack Exposes Info On More Than 1.3 Million Patients

News has emerged that hackers exposed personal and financial information on more than 1.3 million people in an attack on a Southeast Florida healthcare system. Broward Health operates a network of more than 30 healthcare facilities serving the roughly 2 million people living in Broward County, Florida.

The cybercriminals who attacked Broward Health exposed sensitive information about the patients, including Social Security numbers, patient medical history and bank account information.  The breach took place in October last year, but the patients who were affected were not informed until January 1 of this year.

Following the episode, the health system required password resets for all users, and also implemented multifactor authentication for all users and systems. Broward Health is also implementing minimum security requirements for devices that access its network but are not managed by its internal IT professionals.

While healthcare ransomware attacks have become very common, in this case the hackers did not make any ransom demand. A hospital spokesperson told CNN that patient care was not disrupted or impacted during or following the incident.

According to CNN, the intruders accessed Broward Health’s networks via a third-party medical provider. A security expert who covered the incident speculates that the incident took place when a device held by a third-party medical provider — one which had not deployed MFA — left the door open for hackers to intrude.

According to the healthcare network, there is no evidence that the information was actually misused by the intruder. This of course raises the question as to why the attackers bothered in the first place.

Of course, just because Broward Health isn’t aware of the data being misused just yet doesn’t mean it’s not going to happen. Identity theft is certainly still an attractive option for cyberattackers, even if comes with potentially greater legal risks than those who launch ransomware campaigns.  (I make this assertion about the relative safety of launching a ransomware attack not because I’m a legal expert, but because I seldom hear about the criminals behind such attacks getting caught.)

Still, I find myself wondering whether this is some sort of revenge attack by a disgruntled former IT staffer from the health system. The way I look at this episode, it looks like the kind of thing someone would do who had a grudge first and foremost.

After all, if I were attempting to breach the Broward Health system first and foremost to make money, I think I might start by doing something smaller. A massive breach like this one is sure to generate headlines and the rush of attention that follows such headlines.

That press spotlight makes it less likely that those whose information was stolen will be caught unaware when their personal data is exploited. And this, of course, is bad for the (crime) business.

Ultimately, the main lesson here is to be sure your third-party providers have strong enough security measures in place to protect all the devices accessing your network. That being said, it never hurts to be reminded that even a single disgruntled IT employee can cost your organization many millions of dollars. After all, while Broward Health seemingly didn’t share what the breach cost, the numbers have got to be huge!

About the author

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

   

Categories