Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Exfiltration at a Broward Health third-party medical provider

Exfiltration at a Broward Health third-party medical provider

Data exfiltration occurred at a business associate of Broward Health, a Florida-based health system. The health system, with over 30 healthcare locations in Broward County, just released its breach alert.

Cyberattacks continue to wreak havoc on healthcare providers, their business associates, and patients’ protected health information (PHI). In fact, four of the top 10 biggest incidents were directly caused by vendors.

RELATED: TriHealth confirms third-party data breach

Such numbers show that covered entities and their business associates are not doing everything they can and must do to protect patients’ and employees’ information.

More needs to be done to comply with HIPAA by employing robust cybersecurity features like HIPAA compliant email.

What happened?

The data breach happened on October 15, 2021, when a hacker gained access through a third-party medical provider. The health system discovered the breach on October 19. Broward Health immediately contained the incident then notified the FBI, Department of Justice (DOJ), and an independent cybersecurity firm.

RELATED: What to do after you violate HIPAA

The DOJ requested that Broward delay notification to avoid interference with the investigation.

An independent data review specialist determined that the breach impacted the following PHI:

Names Birthdates Addresses and phone numbers
Banking information Social Security numbers Driver's license numbers
Medical information Insurance information  


The incident is now listed on the Office for Civil Rights’ (OCR) Breach Portal as a hacking/IT incident affecting 1,351,431 individuals.

RELATED: What is HHS’ Wall of Shame?

According to the alert, the information was exfiltrated but “there is no evidence [it] was actually misused.” The cyberattack does not appear to involve ransomware; no ransom demand was made.

Patient care remains undisturbed, although an involved patient just filed a class-action lawsuit against Broward Health.


Don’t let business associates be a problem

Just like covered entities, business associates must be HIPAA compliant.

RELATED: Understanding and implementing HIPAA rules

According to HIPAA, a business associate is a person or entity that performs certain functions or activities involving the use or disclosure of PHI. Healthcare organizations utilize these third-party vendors for a variety of functions.

This particular breach demonstrates that a business associate can cause an incident if they have access to a network or PHI and do not use the same security measures.

RELATED: Business associate pays $2.3 million for HIPAA noncompliance

It may also demonstrate that the blame can fall onto a covered entity if certain provisions aren’t in place. OCR lists this breach as a healthcare provider rather than a business associate issue.

Before a covered entity works with a business associate, it is necessary to:

  • Understand security measures in place
  • Require similar features to its own
  • Control the type of accessible information
  • Identify all users/devices with access
  • Sign a business associate agreement (BAA)


In fact, this list should apply to a covered entity itself, ensuring its HIPAA compliance while avoiding a HIPAA violation.


Protection, protection, protection

Cyberattacks like this one clearly show that healthcare organizations (and business associates) must strengthen their network and access security measures.

After the incident, Broward Health asked all employees to reset their passwords. The health system also implemented multifactor authentication and additional security requirements for non-Broward devices.

RELATED: Why BYOD protection is important for healthcare

Beyond this, Broward Health and all healthcare organizations should also provide consistent and up-to-date employee awareness training along with strong access controls like MFA. Moreover, enabling HIPAA compliant email, like Paubox Email Suite Plus, is crucial to safeguarding PHI.

SEE ALSO: Why healthcare providers should use HIPAA compliant email

Not only does Paubox use automatic email encryption, but we also offer to sign a BAA for all of our customers. And our HITRUST CSF certified solution requires no change in email behavior and works with any existing email platform, such as Microsoft 365 and Google Workspace.

Finally, Paubox Email Suite Plus comes with Zero Trust Email, which adds a layer of verification even before an email gets delivered.

Broward Health will look at its cybersecurity measures and will hopefully improve its interactions with business associates. That’s necessary because all organizations are only as strong as their weakest link.


Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.