Exfiltration at a Broward Health third-party medical provider
by Kapua Iao
Data exfiltration occurred at a business associate of Broward Health, a Florida-based health system. The health system, with over 30 healthcare locations in Broward County, just released its breach alert.
Cyberattacks continue to wreak havoc on healthcare providers, their business associates, and patients’ protected health information (PHI). In fact, four of the top 10 biggest incidents were directly caused by vendors.
Such numbers show that covered entities and their business associates are not doing everything they can and must do to protect patients’ and employees’ information.
The data breach happened on October 15, 2021, when a hacker gained access through a third-party medical provider. The health system discovered the breach on October 19.
Broward Health immediately contained the incident then notified the FBI, Department of Justice (DOJ), and an independent cybersecurity firm.
RELATED: What to do after you violate HIPAA
The DOJ requested that Broward delay notification to avoid interference with the investigation. An independent data review specialist determined that the breach impacted the following PHI:
|Names||Birthdates||Addresses and phone numbers|
|Banking information||Social Security numbers||Driver’s license numbers|
|Medical information||Insurance information|
The incident is now listed on the Office for Civil Rights’ (OCR) Breach Portal as a hacking/IT incident affecting 1,351,431 individuals.
RELATED: What is HHS’ Wall of Shame?
According to the alert, the information was exfiltrated but “there is no evidence [it] was actually misused.” The cyberattack does not appear to involve ransomware; no ransom demand was made.
Patient care remains undisturbed although an involved patient just filed a class-action lawsuit against Broward Health.
Don’t let business associates be a problem
Just like covered entities, business associates must be HIPAA compliant.
According to HIPAA, a business associate is a person or entity that performs certain functions or activities involving the use or disclosure of PHI. Healthcare organizations must utilize these third-party vendors for a variety of functions.
This particular breach demonstrates that a business associate can cause an incident if they have access to a network or PHI and do not use the same security measures.
It may also demonstrate that the blame can fall onto a covered entity if certain provisions aren’t in place. OCR lists this breach as a healthcare provider rather than a business associate issue.
Before a covered entity works with a business associate, it is necessary to:
- Understand security measures in place
- Require similar features to its own
- Control the type of accessible information
- Identify all users/devices with access
- Sign a business associate agreement (BAA)
And in fact, this list should apply to a covered entity itself, ensuring its HIPAA compliance while avoiding a HIPAA violation.
Protection, protection, protection
Cyberattacks like this one clearly show that healthcare organizations (and business associates) must strengthen their network and access security measures.
After the incident, Broward Health asked all employees to reset their passwords. The health system also implemented multifactor authentication and additional security requirements for non-Broward devices.
Beyond this, Broward Health and all healthcare organizations should also provide consistent and up-to-date employee awareness training along with strong access controls like MFA.
Moreover, enabling HIPAA compliant email, like Paubox Email Suite Plus, is crucial to safeguarding PHI.
Not only does Paubox use automatic email encryption, but we also offer to sign a BAA for all of our customers. And our HITRUST CSF certified solution requires no change in email behavior and works with any existing email platform, such as Microsoft 365 and Google Workspace.
Finally, Paubox Email Suite Plus comes with Zero Trust Email, which adds a layer of verification even before an email gets delivered.
Broward Health will look at its cybersecurity measures and will hopefully improve its interactions with business associates. That’s necessary because all organizations are only as strong as their weakest link.