On January 1, 2022, Broward Health, which operates dozens of healthcare facilities in Broward County, Florida, notified more than 1.3 million people that a malicious actor had gained access to data from its system and had it deleted on October 15, 2021. The data that was exfiltrated and compromised included names, addresses, dates of birth, driver’s license numbers, social security numbers, financial, insurance, and medical information.
According to the notification letter, “the intrusion occurred through the office of a third-party medical provider authorized to access the system to provide healthcare services.”
Broward Health offers affected individuals credit monitoring. Following the incident, it required password resets for its users and implemented multi-factor authentication (MFA) “for all users of its systems.” It also revealed that it implements “minimum security requirements” for devices that have access to its network and are not managed by its internal IT professionals.
Reading between the lines and purely speculating, I’m assuming the incident happened via a 3rd party medical provider’s device that had access to Broward Health’s system, but didn’t deploy MFA, causing or contributing to the intrusion. This breach demonstrates how a third party can cause an incident if they have access to your network but do not have the same or similar security measure in place as you, and highlights the importance of identifying all users/devices with access to your network, and require all users to implement security measures consistent with yours.
Copyright © 2022 Robinson & Cole LLP. All rights reserved.National Law Review, Volume XII, Number 6