On January 3, according to Bleepingcomputer news, the US Broward Health public health system disclosed a data breach that affected 1,357,879 people.
Broward Health is a medical system located in Florida with more than 30 branches and provides medical services to more than 60,000 people every year.
On October 15, 2021, Broward Health disclosed a cyberattack when an intruder had unauthorized access to the hospital’s network and patient data.
Four days later, on October 19, the organization discovered the intrusion and immediately notified the FBI and the U.S. Department of Justice.
After the incident, Broward Health promptly reminded all employees to change user passwords and hired third-party network security experts to assist in the investigation.
According to expert investigations, the hackers who hacked into the website obtained the patient’s personal medical information, which may include the following:
date of birth
Financial or banking information
social Security number
Insurance information and account number
Medical information and medical records
Condition, treatment, and diagnosis
Driver’s license number
Although Broward Health has admitted that the above-mentioned data has been leaked, it pointed out that there is no evidence that the attackers misused the data.
It is worth noting that the point of intrusion is determined to be a third-party medical provider, which provides services by accessing the medical system and therefore has certain access rights.
“In response to this incident, Broward Health is taking measures to prevent similar incidents from happening again, including ongoing investigations, password resets to strengthen security measures across the enterprise, and the implementation of multi-factor authentication for all users in the system. “Broward Health explained to affected patients and employees.
“We are also beginning to implement additional minimum security standards for non-Broward Health managed devices that access our network, which will take effect in January 2022.”
Because the leaked data is more sensitive, the recipient of the notification needs to be vigilant about all forms of communication.
In addition, the medical system is using Experian to provide a two-year identity theft detection and protection service. The letter also contains detailed information on the registration guide.
The stolen data is usually exchanged privately in dark web forums, so it is difficult to find out how the leaked data has been misused in the wild, but this does not mean that the data has not been misused.
Generally speaking, the processing of huge data sets is a time-consuming task. Only the evaluated data can select specific high-value targets for social engineering or phishing attacks. Therefore, it is not difficult to find that there is a certain delay in data from being stolen to being misused.