In March 2021, Broward County Public Schools located in Florida suffered a ransomware attack resulting in the encryption of its data files. Based on the breach investigation findings, unauthorized persons first acquired access to the school system on November 12, 2020. Ransomware was launched on March 6, 2021. Broward County Public Schools discovered the attack on March 7, 2021.
The attackers asked for a ransom payment of $40 million to get the keys to decrypt files, which was later on lessened to $10 million, still, the school district declined to pay. In the beginning, it didn’t look like that any sensitive information was obtained in the cyberattack, however, on April 19, 2021, it was confirmed that a number of files saved on its networks were stolen the moment they were posted publicly on the Conti ransomware gang’s data leak site.
Schools are normally not under the Health Insurance Portability and Accountability Act (HIPAA), therefore HIPAA breach notifications aren’t needed when student data are exposed; nonetheless, in this instance, the school district is in fact a HIPAA-covered entity since it manages a self-insured health plan.
It was affirmed on June 8, 2021 that certain files acquired by the attackers involved names and Social Security numbers. Further investigation of the security breach affirmed on June 29, 2021 that the hackers had seen and likely stole the protected health information (PHI) of health plan members, such as names, Social Security numbers, birth dates, and benefits selection data.
Those people are currently being informed concerning the compromise and likely theft of their data, over one year after the initial attack of its systems and 5 months after finding out that their PHI had been affected. Chief Communications Officer Kathy Koch talked about the long wait in giving notifications as caused by a labor-intensive evaluation of the information that may have been viewed by the unauthorized people.” Free credit monitoring services are right now being made available.
It is not clear how many people altogether were impacted by the breach, nevertheless, the breach report was submitted to the HHS’ Office for Civil Rights as having an effect on 48,684 persons.