Florida Health Data Hack Shows Risk of Outside Devices

One healthcare provider in Florida suffered a data breach in late 2021 that compromised the confidential records of more than a million people. 

Weeks later, another Florida provider thwarted a cyber-attack that could have been even more devastating.

The difference: in the latter case, the provider acted swiftly, decisively and proactively at the first hint of danger.

And both cases illustrate the risk that unsecure outside devices pose to your computer network.

Are you aware of the resources and services available at Lawyers Mutual Consulting & Services? Founded by Camille Stell, who also serves as president, LMCS is a subsidiary of Lawyers Mutual. Its mission is to help firms build a modern law practice. It does that by offering expert advice and assistance into law firm trends and best practices. Camille and LMCS helps lawyers and firms create strategic plans and succession plans. A popular speaker and writer, Camille loves to guide lawyers through succession planning and into Life after Law. Contact her today.

One Healthcare Hit, One Near Miss

Broward Health – which runs dozens of health care facilities in Broward County, Florida – experienced a data breach that affected the confidential information – names, addresses, birth dates, driver’s license numbers, Social Security numbers, insurance and medical information – of more than 1.3 million people. The breach apparently occurred in October 2021.

In January, the company issued a notification letter stating that “the intrusion occurred through the office of a third-party medical provider who is permitted access to the system to provide healthcare services.” 

The company is offering credit monitoring for anyone affected by the breach, requiring all system users to reset their passwords, and implementing multi-factor authentication for all users.

“Reading between the lines and purely speculating, my guess is that the incident occurred through a third-party medical provider’s device that had access to Broward Health’s system, but that had not deployed MFA, causing or contributing to the intrusion,” according to data privacy and security lawyer Linn Freedman. “This breach shows how a third-party can cause an incident if they have access to your network but do not have the same or similar security measure in place as you and highlights the importance of identifying all users/devices with access to your network and requiring all users to implementation of security measures consistent with your own.”

The company said it is imposing “minimum security requirements” for outside devices that have access to the network, which might be a case of closing the barn door after the cow has already escaped.

Quick Thinking Saves the Day

Meanwhile, over in the Florida panhandle, Jackson Hospital was spared a catastrophe in January 2022 when quick-thinking staffers noticed a problem and alerted IT, which shut down the system and averted the attack.

From CNN: “The emergency room of Jackson Hospital, a 100-bed facility on Florida's panhandle, called to report that it couldn't connect to the charting system that doctors use to look up patients' medical histories. Jamie Hussey, Jackson Hospital's IT director, soon realized that the charting software, which was maintained by an outside vendor, was infected with ransomware and that he didn't have much time to keep the computer virus from spreading. The hospital shut down its computer systems on his advice.”

Experts say any delay could have resulted in a shut-down of the entire hospital. As it turned out, patient care wasn’t disrupted, although hospital staff had to resort to using pen and paper records until the system was back up and running.

NC Rule of Professional Conduct 1.1 – Competence

A lawyer shall not handle a legal matter that the lawyer knows or should know he or she is not competent to handle without associating with a lawyer who is competent to handle the matter. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.

Comment [8] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with the technology relevant to the lawyer’s practice, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject.

Sources: The National Law Review, CNN and NC Rule of Professional Conduct 1.1

Lawyers Mutual is on your side as you adjust to practicing law post-COVID. Our email newsletter “Practice Reimagined” offers timely tips, pointers and valuable links on wellness, work-life balance and quality of life – delivered straight to your in-box. Lawyers helping lawyers. It’s what we’ve been doing more than 40 years.