On January 1, 2022, Broward Health, which operates dozens of health care facilities in Broward County, Florida, notified over 1.3 million individuals that a threat actor gained access to and removed data from its system on October 15, 2021. The data exfiltrated and compromised included individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, financial, insurance and medical information.

According to the notification letter, “the intrusion occurred through the office of a third-party medical provider who is permitted access to the system to provide healthcare services.”

Broward Health is offering the affected individuals credit monitoring. Following the incident, it required a password reset of its users, and implemented multi-factor authentication (MFA) “for all users of its systems.” It also disclosed that it is implementing “minimum security requirements” for devices that have access to its network that are not managed by its internal IT professionals.

Reading between the lines and purely speculating, my guess is that the incident occurred through a third-party medical provider’s device that had access to Broward Health’s system, but that had not deployed MFA, causing or contributing to the intrusion. This breach shows how a third-party can cause an incident if they have access to your network but do not have the same or similar security measure in place as you, and highlights the importance of identifying all users/devices with access to your network, and requiring all users to implementation of security measures consistent with your own.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.