3rd Party Risk Management , Breach Notification , COVID-19
Hospital System: Data Exfiltration Breach Hits 1.3 Million'Intruder' Accessed IT Network Through a 3rd-Party Medical Provider
A Florida-based public hospital system has kicked off the New Year by reporting to regulators a hacking incident detected in October that involved data exfiltration and affected the personal information of more than 1.3 million individuals.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
In a breach notification statement posted on its website, Fort Lauderdale, Florida-based Broward Health says the October incident affected a segment of its patients and employees and that the U.S. Department of Justice had requested that the entity "briefly delay" notification about the breach due to an ongoing law enforcement investigation.
The healthcare entity says that it has no evidence that personal information compromised in the incident has been misused.
Broward Health is a public, nonprofit, three-hospital system governed by the North Broward Hospital District Board of Commissioners, a seven-member district board appointed by Florida's governor.
The incident affected more than 1.3 million individuals, including 473 Maine residents, Broward Health says in a report filed on Sunday with the Maine attorney general's office.
As of Monday, the Broward Health incident had not yet been posted on the U.S. Department of Health and Human Service's HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
In its statement, Broward Health says that on Oct. 15, 2021, an "intruder" gained entry to its network "through the office of a third-party medical provider permitted to access the system to provide healthcare services."
Broward Health discovered the intrusion on Oct. 19, 2021, and "promptly contained the incident," the statement says. The entity also notified the FBI and the Department of Justice, required a password reset for all employees and engaged an independent cybersecurity firm to conduct an investigation, the statement says.
An analysis determined that that some patient and employee personal information may have been affected, including name, date of birth, address, phone number, financial or bank account information, Social Security number, insurance information and account number, medical information including history, condition, treatment and diagnosis, medical record number, driver’s license number and email address.
Broward Health is offering affected individuals two years of complimentary identity and credit monitoring services.
In the wake of the incident, Broward Health is also taking steps to prevent similar future incidents, including a password reset with enhanced security measures across the enterprise and the implementation of multifactor authentication for all users of its systems, the statement says.
"Broward Health has also begun implementation of additional minimum-security requirements for devices not managed by Broward Health Information Technology with access to its network, which will become effective in January 2022," the statement says.
Broward Health did not immediately respond to Information Security Media Group's request for additional details about the data breach.
"Too-broad access" to IT systems by third parties presents significant and common security and privacy risks among healthcare sector entities, and that needs to be managed more effectively and thoughtfully, says Kate Borten, president of privacy and security consultancy The Marblehead Group.
"If the third-party medical provider is not part of an organized health care arrangement or an affiliated covered entity - for example, an independent community practice - that third party should have their access limited to relevant patient records only," she says.
"But because some electronic health record systems do not provide adequate access controls, this limitation is not implemented," according to Borten.
In those cases, the independent community practice "is simply on an honor system to only access certain records. Thus, in addition to the issue of snooping, the impact of a hacker breach will be much greater," she says.
Borten says incidents such as the Broward Health breach "should be a reminder that granting access to a patient database is technically the equivalent of disclosing every patient's records, regardless of whether the user actually looks up every record."
Susan Lucci, senior privacy and security consultant at tw-Security, offers a similar assessment.
"Third-party-caused data breaches have been the largest source of compromise in 2020 and 2021. It is very likely to continue as healthcare continues to be stretched to limits amid this ongoing pandemic."
The type of data apparently exfiltrated in the Broward Health breach "included a huge amount of extremely confidential information, which means it is extremely valuable on the dark web," Lucci says.
"We need to remember that cybercriminals can hold onto this information for as long as they want, unlike simple credit card information which is often changed immediately when cards are compromised."
While Broward Health's public statements so far are not crystal clear about exactly what happened in the incident, the breach spotlights a number of challenges and lessons in healthcare, says regulatory attorney Brad Rostolsky of the law firm Reed Smith.
"Ultimately, there are a few unavoidable truths in the context of this type of incident. One: Hospitals and other healthcare providers will need to have access to each other’s records in order to treat mutual patients. It’s hard to lock down all potential intrusion points of a system being accessed, in part, by third parties," he says.
"That said, smaller providers who do not maintain or are not able to reasonably afford really solid security protocols may unavoidably represent a security concern to larger practices and health systems."
Data system owners should consider requiring all parties accessing their data to sign an agreement that makes clear certain obligations - including security requirements - and penalties in the event an incident occurs as a direct result of a third party’s access, he says, adding that those requirements should also be part of agreements among healthcare providers that have access to another provider's data.
And Lucci says it is critical for large healthcare systems to remind their providers to ensure their offices conduct HIPAA security risk analysis, train their workforce, and remind staff about the continuing threats of hacking incidents, ransomware and phishing.
"Email continues to be a primary target for cybercriminals," she says.