On January 1, 2022, Broward Health, which operates dozens of health care facilities in Broward County, Florida, notified over 1.3 million individuals that a threat actor gained access to and removed data from its system on October 15, 2021. The data exfiltrated and compromised included individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, financial, insurance and medical information.

According to the notification letter, “the intrusion occurred through the office of a third-party medical provider who is permitted access to the system to provide healthcare services.”

Broward Health is offering the affected individuals credit monitoring. Following the incident, it required a password reset of its users, and implemented multi-factor authentication (MFA) “for all users of its systems.” It also disclosed that it is implementing “minimum security requirements” for devices that have access to its network that are not managed by its internal IT professionals.

Reading between the lines and purely speculating, my guess is that the incident occurred through a third-party medical provider’s device that had access to Broward Health’s system, but that had not deployed MFA, causing or contributing to the intrusion. This breach shows how a third-party can cause an incident if they have access to your network but do not have the same or similar security measure in place as you, and highlights the importance of identifying all users/devices with access to your network, and requiring all users to implementation of security measures consistent with your own.