25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Almost 50,000 Health Plan Members Affected by Ransomware Attack on Broward County Public Schools

Posted By on Dec 15, 2021

In March 2021, ransomware was used in an attack on Broward County Public Schools in Florida and files were encrypted. The investigation into the breach revealed access to the school network was first gained by unauthorized individuals on November 12, 2020, with the ransomware deployed on March 6, 2021. The attack was detected on March 7, 2021.

The hackers demanded a ransom payment of $40 million for the keys to decrypt files, which was later reduced to $10, million but the school district refused to pay. Initially, it did not appear that any sensitive data had been obtained in the attack, but on April 19, 2021, it was discovered that some files stored on its systems had been stolen when they were released publicly on the Conti ransomware gang’s data leak website.

Schools are not usually covered by the Health Insurance Portability and Accountability Act (HIPAA), so HIPAA breach notifications are not required when student records are compromised; however, in this case, the school district is a HIPAA-covered entity as it operates a self-insured health plan.

On June 8, 2021, it was confirmed that some of the files obtained by the attackers included names and Social Security numbers, with further analysis of the security breach confirming on June 29, 2021, that the attackers accessed and potentially stole the protected health information of members of its health plan, including names, dates of birth, Social Security numbers, and benefits selection information.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Those individuals are now being notified about the exposure and potential theft of their PHI, more than a year after its systems were first breached and 5 months after it was discovered their PHI was involved. The delay in issuing notifications was explained by Chief Communications Officer Kathy Koch as being due to “a time-consuming review of the data that might have been accessed by the unauthorized party.” Complimentary credit monitoring services are now being provided.

It is unclear how many individuals in total have been affected by the breach, but the breach has been reported to the HHS’ Office for Civil Rights as affecting 48,684 individuals.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist