Approximately 50,000 Health Plan Members Affected by Broward County Public Schools Ransomware Attack

In March 2021, Broward County Public Schools based in Florida encountered a ransomware attack and its files were encrypted. According to the breach investigation results, unauthorized individuals first gained access to the school network on November 12, 2020. Ransomware was deployed on March 6, 2021. Broward County Public Schools uncovered the ransomware attack on March 7, 2021.

The hackers issued a ransom demand of $40 million in exchange for the file decryption keys, which was afterward decreased to $10 million, however, the school district did not pay. At first, it did not seem like that any sensitive data was obtained in the ransomware attack, however, on April 19, 2021, it was found out that a number of files kept on its systems were stolen the minute they were published publicly on the Conti ransomware group’s data leak website.

Schools aren’t typically covered by the Health Insurance Portability and Accountability Act (HIPAA), thus HIPAA breach notifications aren’t necessary when student information is compromised; nevertheless, in this case, the school district is actually a HIPAA-covered entity because it runs a self-insured health plan.

It was established on June 8, 2021 that certain files acquired by the attackers contained names and Social Security numbers. Further review of the security breach confirmed on June 29, 2021 that the hackers had viewed and possibly stole the protected health information (PHI) of health plan members, which include names, Social Security numbers, dates of birth, and benefits selection details.

Those people are now being advised regarding the breach and probable theft of their information, more than a year after the first breach of its systems and 5 months after discovering that their PHI had been impacted. Chief Communications Officer Kathy Koch explained the delay in sending notifications as due to “a time-consuming analysis of the data that might have been gotten by the unauthorized party.” No cost credit monitoring services are currently being given.

It is uncertain how many persons, all in all, were affected by the breach, nevertheless, the breach report was sent to the HHS’ Office for Civil Rights as impacting 48,684 persons.