This weekend, the Broward Health hospital system notified more than 1.3 million patients and staff members that their personal information was involved in a data breach that started on October 15.
In a statement on Saturday, the Florida hospital system said that in addition to names, addresses and phone numbers, Social Security numbers, bank account information and medical history data was included in the breach.
Insurance account information, driver's license numbers, email addresses and treatments received were also included. The hospital system said it waited months to notify victims because the Department of Justice told them to hold off on sending out breach notification letters.
"On October 15, 2021, an intruder gained entry to the Broward Health network through the office of a third-party medical provider permitted to access the system to provide healthcare services. Broward Health discovered the intrusion on October 19, 2021, and promptly contained the incident, notified the FBI and the Department of Justice (DOJ), required a password reset for all employees and engaged an independent cybersecurity firm to conduct an investigation," the hospital explained.
"Broward Health also engaged an experienced data review specialist to conduct an extensive analysis of the data to determine what was impacted, which determined some patient and employee personal information may have been impacted. The DOJ requested the Broward Health briefly delay this notification to ensure that the notification does not compromise the ongoing law enforcement investigation."
The hospital system did not say how many people were involved, but in their submission to the Maine Attorney General's office, they said 1,357,879 people were affected.
The hospital is offering 24 months of identity theft protection services, implemented multifactor authentication for all users of its systems and "minimum-security requirements for devices not managed by Broward Health Information Technology with access to its network."
The notice warned that people who had their information exposed are now vulnerable to medical identity theft, which is when someone uses a person's name and information to get medical services or fraudulently bill for medical services. The hospital urged those affected to monitor their benefits statements and financial accounts.
Joseph Carson, chief security scientist at ThycoticCentrify, said countries where healthcare is extremely expensive, are the leading targets for cybercriminals to steal and monetize personal health information.
In many instances, personal health information is much more valuable than stolen credit card information, Carson added, noting that it can be sold for up to $500 or more on the dark web because it can easily be abused for fake medical claims, fake prescriptions or fake identities.
"Personal health information can also be used for extortion or blackmail targeting victims who do not want sensitive information disclosed or even to abuse insurance claims and tax refunds," Carson said.
"Unfortunately, for medical records, you cannot change your medical history. Once stolen or disclosed, it is public knowledge, whereas a credit card you can change and get back on track quickly."