Broward Hospital Data Breach Nets Hackers 1,300,000 Records

An October 2021 cyberattack on Broward Health resulted in the extraction of up to 1.3 million pieces of protected health information (PHI) from the system’s computer network during the hospital data breach.

What Occurred in the Broward Hospital Data Breach

Upon discovery of the intrusion on October 19, 2021, Broward Health contained the incident and reset all employee passwords. The hospital system retained an independent cybersecurity firm and an experienced data review specialist to investigate the incident and analyze the data impacted.

Broward Health also notified the FBI and the Department of Justice (DOJ). At the request of the DOJ, Broward delayed notification of the hospital data breach to avoid compromise to the ongoing law enforcement investigation.

Who Was Affected by the Broward Hospital Data Breach

In a separate notification to the Maine Attorney General’s office, Broward Health reported 1,357,879 individuals affected by the third-party data breach, including 479 residents of the State of Maine. 

Hackers removed Electronic PHI and other data from the hospital’s computer network including, name, date of birth, address, phone number, financial or bank account information, Social Security number, insurance information and account number, medical information including history, condition, treatment and diagnosis, medical record number, driver’s license number, and email address.

The HIPAA Breach Notification Rule mandates that those affected by breaches of 500 or more individuals must be notified within 60 days of the breach’s discovery. The breach must also be reported to the Department of Health and Human Services (HHS) and the media within 60 days of discovery. As of January 6, 2022, there is no listing on the HHS Office for Civil Rights Breach Portal.

What is the Response to the Broward Hospital Data Breach

Broward Health has offered two years of free identity monitoring to the impacted individuals. In addition to the steps listed earlier, they are implementing multi-factor authentication for all system users. 

They are also increasing the minimum-security requirements for devices not managed by Broward Health Information Technology that access their network, effective January 2022.

Takeaways from the Broward Hospital Data Breach

Security experts say this hospital data breach highlights two ongoing cybersecurity issues: the rising number of breaches caused by third parties and the challenge of limiting both access and intrusion points.

In 2020 and 2021, third-party data breaches were the largest source of system compromises, possibly because of the additional stress upon the healthcare system as it struggles with the pandemic.

To illustrate the concept of limiting access points and intrusion points, think about your circle of friends. If you gave each of your friends and family a key to your home, wouldn’t you need a method to limit where each person could go and what they could do?

Without proper access and intrusion controls, your entire home would be open to every person with a key and anyone with whom they shared that key. The same is true for your data networks and the business associates and other medical providers that connect to them.

Providers and business associates who do not maintain or cannot afford effective security measures present a threat to their data. HIPAA regulations mandate an annual HIPAA Security Risk Analysis to identify gaps. Unless they are mitigated, these gaps may create violations of the HIPAA Privacy Rule or the HIPAA Security Rule. A third-party data breach can still damage your professional reputation.

Becoming and remaining HIPAA Compliant gives your organization an excellent foundation that can enhance your patients’ experience and secure those vital pieces of PHI within your systems. Our dedicated compliance experts are ready to talk with you about building a culture of compliance that meets all of the HIPAA requirements and makes your organization stronger.