Hackers breached the computer networks of Broward Health in October and may have accessed personal and financial information on more than 1.3 million patients and staff.
The southeast Florida health system, which operates more than 30 healthcare locations in Broward County, disclosed it was hit with a cyberattack on Oct. 15, 2021, when an intruder gained unauthorized access to the hospital’s network and patient data through a third-party medical provider, according to a statement posted to the health system’s website Saturday.
The health system said it discovered the intrusion four days later, on Oct. 19, and contained the incident, then notified the FBI and the Department of Justice (DOJ).
Broward Health said it waited months to notify victims and make the breach public because the DOJ told them to hold off on sending out breach notification letters to preserve an ongoing law enforcement investigation, the health system said.
The health system also immediately required a password reset for all employees and engaged an independent cybersecurity firm to conduct an investigation. Broward Health engaged an experienced data review specialist to conduct an extensive analysis of the data to determine what was impacted, which determined some patient and employee personal information may have been impacted.
The hackers accessed names, birthdays, addresses, banking information, Social Security numbers, drivers’ license numbers, patient histories and treatment and diagnosis records, among other information, according to the health system.
The hospital system did not say how many people were involved, but a submission to the Maine attorney general’s office states that 1,357,879 people were affected.
The information was removed from the hospital’s system, “however, there is no evidence the information was actually misused,” the health system said in its statement.
The incident did not appear to involve ransomware. Broward Health spokesperson Jennifer Smith told CNN in an email that the hackers did not make any ransom demand and that no ransom was paid.