Almost 50,000 Health Plan Members Affected by Ransomware Attack on Broward County Public Schools

In March 2021, ransomware was used in an attack on Broward County Public Schools in Florida and files were encrypted. The investigation into the breach revealed access to the school network was first gained by unauthorized individuals on November 12, 2020, with the ransomware deployed on March 6, 2021. The attack was detected on March 7, 2021.

The hackers demanded a ransom payment of $40 million for the keys to decrypt files, which was later reduced to $10, million but the school district refused to pay. Initially, it did not appear that any sensitive data had been obtained in the attack, but on April 19, 2021, it was discovered that some files stored on its systems had been stolen when they were released publicly on the Conti ransomware gang’s data leak website.

Schools are not usually covered by the Health Insurance Portability and Accountability Act (HIPAA), so HIPAA breach notifications are not required when student records are compromised; however, in this case, the school district is a HIPAA-covered entity as it operates a self-insured health plan.

On June 8, 2021, it was confirmed that some of the files obtained by the attackers included names and Social Security numbers, with further analysis of the security breach confirming on June 29, 2021, that the attackers accessed and potentially stole the protected health information of members of its health plan, including names, dates of birth, Social Security numbers, and benefits selection information.

Those individuals are now being notified about the exposure and potential theft of their PHI, more than a year after its systems were first breached and 5 months after it was discovered their PHI was involved. The delay in issuing notifications was explained by Chief Communications Officer Kathy Koch as being due to “a time-consuming review of the data that might have been accessed by the unauthorized party.” Complimentary credit monitoring services are now being provided.

It is unclear how many individuals in total have been affected by the breach, but the breach has been reported to the HHS’ Office for Civil Rights as affecting 48,684 individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.