Data exfiltration occurred at a business associate of Broward Health, a Florida-based health system. The health system, with over 30 healthcare locations in Broward County, just released its breach alert.
Cyberattacks continue to wreak havoc on healthcare providers, their business associates, and patients’ protected health information (PHI). In fact, four of the top 10 biggest incidents were directly caused by vendors.
RELATED: TriHealth confirms third-party data breach
Such numbers show that covered entities and their business associates are not doing everything they can and must do to protect patients’ and employees’ information.
More needs to be done to comply with HIPAA by employing robust cybersecurity features like HIPAA compliant email.
The data breach happened on October 15, 2021, when a hacker gained access through a third-party medical provider. The health system discovered the breach on October 19. Broward Health immediately contained the incident then notified the FBI, Department of Justice (DOJ), and an independent cybersecurity firm.
RELATED: What to do after you violate HIPAA
The DOJ requested that Broward delay notification to avoid interference with the investigation.
An independent data review specialist determined that the breach impacted the following PHI:
| Names | Birthdates | Addresses and phone numbers |
| Banking information | Social Security numbers | Driver's license numbers |
| Medical information | Insurance information |
The incident is now listed on the Office for Civil Rights’ (OCR) Breach Portal as a hacking/IT incident affecting 1,351,431 individuals.
RELATED: What is HHS’ Wall of Shame?
According to the alert, the information was exfiltrated but “there is no evidence [it] was actually misused.” The cyberattack does not appear to involve ransomware; no ransom demand was made.
Patient care remains undisturbed, although an involved patient just filed a class-action lawsuit against Broward Health.
Just like covered entities, business associates must be HIPAA compliant.
RELATED: Understanding and implementing HIPAA rules
According to HIPAA, a business associate is a person or entity that performs certain functions or activities involving the use or disclosure of PHI. Healthcare organizations utilize these third-party vendors for a variety of functions.
This particular breach demonstrates that a business associate can cause an incident if they have access to a network or PHI and do not use the same security measures.
RELATED: Business associate pays $2.3 million for HIPAA noncompliance
It may also demonstrate that the blame can fall onto a covered entity if certain provisions aren’t in place. OCR lists this breach as a healthcare provider rather than a business associate issue.
Before a covered entity works with a business associate, it is necessary to:
In fact, this list should apply to a covered entity itself, ensuring its HIPAA compliance while avoiding a HIPAA violation.
Cyberattacks like this one clearly show that healthcare organizations (and business associates) must strengthen their network and access security measures.
After the incident, Broward Health asked all employees to reset their passwords. The health system also implemented multifactor authentication and additional security requirements for non-Broward devices.
RELATED: Why BYOD protection is important for healthcare
Beyond this, Broward Health and all healthcare organizations should also provide consistent and up-to-date employee awareness training along with strong access controls like MFA. Moreover, enabling HIPAA compliant email, like Paubox Email Suite Plus, is crucial to safeguarding PHI.
SEE ALSO: Why healthcare providers should use HIPAA compliant email
Not only does Paubox use automatic email encryption, but we also offer to sign a BAA for all of our customers. And our HITRUST CSF certified solution requires no change in email behavior and works with any existing email platform, such as Microsoft 365 and Google Workspace.
Finally, Paubox Email Suite Plus comes with Zero Trust Email, which adds a layer of verification even before an email gets delivered.
Broward Health will look at its cybersecurity measures and will hopefully improve its interactions with business associates. That’s necessary because all organizations are only as strong as their weakest link.