Hackers hit Broward Health network, potentially exposing data on 1.3M patients, staff

Hackers breached the computer networks of Broward Health in October and may have accessed personal and financial information on more than 1.3 million patients and staff.

The southeast Florida health system, which operates more than 30 healthcare locations in Broward County, disclosed it was hit with a cyberattack on Oct. 15, 2021, when an intruder gained unauthorized access to the hospital's network and patient data through a third-party medical provider, according to a statement posted to the health system's website Saturday.

The health system said it discovered the intrusion four days later, on Oct. 19, and contained the incident, then notified the FBI and the Department of Justice (DOJ).

Broward Health said it waited months to notify victims and make the breach public because the DOJ told them to hold off on sending out breach notification letters to preserve an ongoing law enforcement investigation, the health system said.

RELATED: 2020 offered a 'perfect storm' for cybercriminals with ransomware attacks costing the industry $21B

The health system also immediately required a password reset for all employees and engaged an independent cybersecurity firm to conduct an investigation. Broward Health engaged an experienced data review specialist to conduct an extensive analysis of the data to determine what was impacted, which determined some patient and employee personal information may have been impacted. 

The hackers accessed names, birthdays, addresses, banking information, Social Security numbers, drivers’ license numbers, patient histories and treatment and diagnosis records, among other information, according to the health system.

The hospital system did not say how many people were involved, but a submission to the Maine attorney general's office states that 1,357,879 people were affected. 

The information was removed from the hospital’s system, "however, there is no evidence the information was actually misused," the health system said in its statement.

The incident did not appear to involve ransomware. Broward Health spokesperson Jennifer Smith told CNN in an email that the hackers did not make any ransom demand and that no ransom was paid.

RELATED: HIMSS21: Your healthcare organization is crippled by ransomware. Should you pay the attackers?

"Patient care was not disrupted or impacted at any time during or following this incident," Smith said, according to CNN's reporting.

The hospital is offering 24 months of identity theft protection services for patients impacted by the breach.

Broward Health also said it has implemented multifactor authentication for all users of its systems and "minimum-security requirements for devices not managed by Broward Health Information Technology with access to its network."

The breach incident is the latest of a growing number of cyberattacks against healthcare organizations during the COVID-19 pandemic. 

A recent cyberattack on Planned Parenthood’s Los Angeles branch exposed the personal information of about 400,000 patients. Between Oct. 9 and Oct. 17, a hacker infiltrated the reproductive health care center’s network and stole files including patient information like names and insurance details along with clinical information including diagnoses and procedures undergone by the patients.