More than 1.3 million patients and employees of Broward Health are being notified that their protected health information was stolen after a hack on a connected third party. The health system operates a number of hospitals, urgent care centers, and other care facilities in Florida.
On Oct. 15, an attacker gained access to the Broward Health network through an access point tied to a third-party healthcare service provider. Discovered four days later, Broward Health promptly contained the incident and reset all employee passwords before notifying the FBI and the Department of Justice.
Broward Health contracted with a third-party cybersecurity firm to support its investigation, as well as a data review specialist to perform an analysis of the impacted data. The investigation determined the hacker exfiltrated both employee and patient information from the network.
The stolen medical information included names, Social Security numbers, financial or bank account information, dates of birth, contact information, medical histories, conditions, treatments, diagnoses, medical record numbers, and driver’s licenses. All impacted individuals will receive two years of identity theft detection resolution services.
The delay in notification was caused by a DOJ request to do so, to ensure the ongoing law enforcement investigation was not compromised, according to officials.
Broward Health has since enhanced security measures across the enterprise, including the implementation of multi-factor authentication for all user access points. The health system has also started requiring “minimum-security requirements” for all devices not managed by the Broward Health IT team and with access to the network, effective Jan. 1, 2022.
Given the access was caused by a vendor access point, the exfiltration incident spotlights the ongoing challenges facing healthcare when it comes to its complex ecosystem and extensive list of necessary vendors.
For Steve Moore, chief security strategist at Exabeam, even providers with robust security stacks can remain vulnerable to hacks from compromised credentials, especially when stolen credentials belong to third parties or vendors.
Vendor access is necessary in healthcare but it severely increases risk, and failing to mitigate the issue can result in adverse outcomes, Moor explained. Healthcare entities must ensure all vendors are “up to the same security standards, and perfect is difficult.” Recommended steps include training, feedback loops, visibility and effective technical capabilities.
“A helpful defender capability is the development of a baseline for normal employee and third-party vendor behavior that can assist organizations with identifying compromised credentials and related intrusions,” said Moore. “If you can establish normal behavior first, only then can abnormalities be known - a great asset in uncovering unknowingly compromised credentials."
Two weeks after reporting a network outage brought on by a cyberattack, Capital Region Medical Center is still leveraging electronic health record (EHR) downtime procedures with backup processes, according to a Dec. 28 social media update.
All patient services are continuing as normal across all CRMC care sites, with clinicians and care teams using paper and pen to maintain care services. CRMC has expanded its support for administrative services to bolster patient registration and follow-up with patients.
As previously reported, CRMC took its network offline after discovering unusual activity in its phone system. At the time, phone calls to the Missouri provider led to a busy signal, and the calls that made it through were unable to be transferred due to the ongoing network issues.
The outage also affected the CRMC website address, which instead sent users to a GoDaddy placeholder. The website is now back online. Technicians are continuing restoration efforts, “diligently working to manage systems and prepare the infrastructure for a secure recovery.”
CRMC officials say they’ll provide another update when more is known. For now, patient care is the primary focus as the hospital continues to experience a high level of patient volumes due to the ongoing COVID-19 pandemic and flu season. Patients are being warned to expect extended wait times at the emergency department.
“Nothing is more important to us than continuing to provide the care our patients expect, and our clinical teams are working diligently to support patients and their families,” officials said in a statement. “We thank all partners who have extended resources to assist through this experience.”
Saltzer Health, an Intermountain company, is just now notifying 15,650 patients that their data was potentially compromised after the hack of an employee email account in June 2021.
Under The Health Insurance Portability and Accountability Act, healthcare entities are required to report data breaches impacting 500 or more individuals within 60 days of discovery. Other covered entities have shown the best way to remain compliant with the rule is to notify patients, in general, while continuing the laborious task of forensically analyzing affected email accounts.
Saltzer Health first discovered suspicious activity in an employee email account on June 1 and launched its investigation, which found an attacker accessed the account for about a week between May 25 and June 1. The investigation could not determine if the account contents were viewed, accessed, or stolen.
The Idaho health system then began a comprehensive review to determine what patient information was stored in the impacted account, then conducted a manual review of internal records to establish the identity and contact information of the impacted individuals.
The compromised data varied by patient and could include names, SSNs, financial account information, contact details, driver’s licenses, state ID numbers, medical record numbers, patient ID numbers, medical histories, diagnoses, treatments, provider information, prescriptions, and health insurance details.
Saltzer Health has since issued a password reset for the impacted employee email account and is currently monitoring its network activity.
An employee email hack at third-party vendor Ciox Health in June 2021, potentially compromised the data of an undetermined number of patients tied to 32 of Ciox Health’s clients in the healthcare sector. Much like the Saltzer Health notice, it’s being issued six months after the initial hack occurred.
The Ciox notice does not detail when the security incident was first discovered, just that a singular employee email account was accessed for a week between June 24 and July 2. During the hack, the attacker may have downloaded the emails and attachments stored in the account.
Despite the potential data exfiltration, “Ciox believes that the account access occurred for purposes of sending phishing emails to individuals unrelated to Ciox, not to access patient information.”
On Sept. 24, Ciox confirmed limited patient information was contained in the affected account, including billing inquiries and customer service requests. A review into the affected accounts concluded on Nov. 2. The affected account did not have direct access to any healthcare clients' EHR systems.
The potentially downloaded information could involve patient names, dates of birth, provider names, and/or dates of services. For some individuals, the information included SSNs, driver’s license numbers, health insurance details, and/or clinical or treatment data.
For a month between November and the end of December, Cioz has been working to notify the impacted clients, while supporting those covered entities with notifying the affected patients.
Ciox officials say they will “continue to identify opportunities to implement additional procedures to further strengthen our email security, including by providing enhanced cybersecurity training to our employees.”
At least 32 covered entities were affected by the incident, including Northwestern Medicine, Prisma Health, MD Partners, Copley Hospital, and AdventHealth - Orlando.