HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Broward Health Notifies Over 1.3 Million Individuals About October 2021 Data Breach

A major data breach has been announced by Florida’s Broward Health involving the personal and protected health information of more than 1.35 million individuals. The data breach occurred on October 15, 2021, when a hacker gained access to the Broward Health network through the office of a third-party medical provider that had been granted access to the Broward Health network for providing healthcare services.

Broward Health discovered and blocked the intrusion on October 19, 2021, and a password reset was performed for all employees to prevent further unauthorized access. Assisted by a third-party cybersecurity company, Broward Health conducted a comprehensive investigation to determine the nature and scope of the breach.

The investigation confirmed the attacker had access to parts of the network where employee and patient information were stored, including sensitive data such as names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers, financial/bank account information, health insurance information, medical histories, health conditions, treatment and diagnosis information, medical record numbers, and driver’s license numbers. Broward Health said some data was exfiltrated from its systems.

The cyberattack was reported to the Department of Justice which requested Broward Health delay sending breach notification letters to affected individuals so as not to interfere with the law enforcement investigation.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Broward Health has taken steps to improve security and prevent similar incidents in the future, which include implementing multifactor authentication for all users of its systems and setting minimum-security requirements for all devices not managed by Broward Health’s information technology department with access to its network. Those security requirements will take effect this January.

Broward Health has not received any reports that indicate patient or employee data have been misused, but as a precaution against identity theft and fraud, affected individuals have been offered a complimentary 2-year membership to the Experian IdentityWorksSM service, which includes identity theft protection, detection, and resolution services.

The HHS’ Office for Civil Rights breach portal indicates 1,351,431 individuals have been affected but has been reported to the Maine Attorney General as potentially affecting 1,357,879 patients.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.