Cyber Incident Victim: Broward Health
Date:
Oct 2021
Location:
United States of America
Summary
A large-scale cyberattack compromised Broward Health's network via a third-party medical provider, exposing sensitive personal and medical data of over 1.3 million individuals. The breach involved unauthorized access to names, birthdates, Social Security numbers, financial details, medical histories, insurance information, and driver’s license numbers. The intrusion was detected four days after initial access, prompting immediate law enforcement notification, system-wide password resets, and the implementation of multifactor authentication. While no evidence of data misuse was found, the healthcare system enhanced security protocols for external devices and offered affected individuals identity theft protection services due to the high-risk nature of the stolen information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 19, 2021, Broward Health, a Florida-based healthcare system operating over thirty facilities and handling more than 60,000 annual admissions, discovered a network intrusion that had occurred four days earlier on October 15. The unauthorized access led to the compromise of personal and medical data belonging to 1,357,879 individuals. Upon detecting the breach, the organization immediately notified the Federal Bureau of Investigation (FBI) and the U.S. Department of Justice. Broward Health mandated a system-wide password reset for all employees and engaged a third-party cybersecurity firm to assist with forensic analysis. Investigators determined the attacker infiltrated the network through a third-party medical provider that had authorized system access to deliver healthcare services. The compromised data included full names, dates of birth, physical addresses, phone numbers, financial or bank account details, Social Security numbers, insurance information, medical histories, diagnoses, treatment records, driver’s license numbers, and email addresses. Broward Health confirmed data exfiltration but reported no evidence of misuse at the time of disclosure.
The healthcare system implemented multiple corrective measures following the breach, including an ongoing internal investigation, enhanced password security protocols, and mandatory multifactor authentication (MFA) deployment across all system users. Additional minimum-security standards for non-managed devices accessing the network were scheduled for implementation in January 2022. Affected individuals received breach notifications advising vigilance against potential phishing or social engineering attempts due to the sensitivity of the exposed data. Broward Health offered complimentary 24-month subscriptions to Experian’s identity theft detection and protection services to impacted parties. While no misuse of stolen data had been observed publicly, the breach notification cautioned that large-scale data troves often undergo delayed evaluation by threat actors before targeted exploitation, emphasizing the long-term risks associated with the exposure of comprehensive personal and medical records.