Florida Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Florida has become one of the most frequently targeted states in the country for cyberattacks. Its combination of a massive tourism economy, a large and growing healthcare sector serving an aging population, and thousands of municipal governments with limited IT budgets creates an unusually broad attack surface. From ransomware payments made by small cities to sophisticated data theft affecting over a million hospital patients, the state's cyber incident history reads like a case study in modern digital risk.

Understanding what has actually happened — which organizations were hit, how attackers got in, and what the consequences were — is essential for any Florida business trying to assess its own exposure. This timeline covers the most significant cybersecurity incidents in the state and explains what Florida's data privacy laws require when a breach occurs.

Major Cyber Incidents in Florida (Timeline)

Florida has experienced a steady escalation of cyber incidents over the past several years. These are the most consequential attacks, each of which exposed systemic weaknesses in how Florida organizations handle cybersecurity.

City of Riviera Beach Ransomware Attack (June 2019)

In June 2019, the City of Riviera Beach, a small municipality north of West Palm Beach, suffered a devastating ransomware attack after a police department employee clicked on a malicious email link. The attack knocked out the city's email systems, disabled direct-deposit payroll, and forced 911 dispatchers to handle calls manually. The city council voted unanimously to pay the attackers approximately $600,000 in Bitcoin — one of the largest publicly disclosed municipal ransomware payments at the time. The incident highlighted how a single click in a city of just 35,000 residents could result in a six-figure payout to criminals.

City of Lake City Ransomware Attack (June 2019)

Just weeks after the Riviera Beach incident, the City of Lake City in north-central Florida was hit by a triple-threat ransomware attack combining Emotet, TrickBot, and Ryuk malware. The attack encrypted city systems and disrupted services for more than two weeks. Lake City ultimately paid approximately $460,000 in Bitcoin to recover its files, after its cyber insurance carrier negotiated with the attackers. The city's IT director was fired following the incident. Together with Riviera Beach, the Lake City attack put Florida municipalities on the national radar as ransomware targets.

Oldsmar Water Treatment Plant Hack (February 2021)

In one of the most alarming cybersecurity incidents in U.S. infrastructure history, an attacker remotely accessed the water treatment system in Oldsmar, a city of roughly 15,000 in the Tampa Bay area, and attempted to increase sodium hydroxide (lye) levels to 111 times the normal amount. A plant operator noticed the cursor moving on his screen and intervened within minutes, preventing any contamination from reaching the water supply. The attacker gained access through TeamViewer, a remote desktop tool that was still installed on a shared computer using a common password. The incident prompted emergency warnings from CISA and the EPA and exposed how vulnerable small municipal utilities are to cyberattack.

UF Health Leesburg and The Villages Breach (May 2021)

In May 2021, UF Health Leesburg and UF Health The Villages — hospitals serving one of Florida's largest retirement communities — suffered a cyberattack that forced staff to revert to paper records for weeks. The attack disrupted access to electronic health records, phone systems, and email. While UF Health did not publicly confirm a ransomware payment, the prolonged recovery and shift to manual processes indicated a severe compromise. The breach was particularly concerning because The Villages is home to one of the nation's highest concentrations of elderly residents, whose medical data carries premium value on criminal marketplaces.

Broward Health Data Breach (October 2021)

Broward Health, one of the largest public hospital systems in the United States with over 30 locations in South Florida, disclosed in January 2022 that a breach first identified in October 2021 had exposed the personal information of approximately 1.35 million patients. The stolen data included names, dates of birth, addresses, Social Security numbers, bank account information, medical histories, treatment records, and health insurance details. The intrusion occurred through a third-party medical provider that had network access to Broward Health's systems. The breach underscored the risks of third-party access in healthcare environments.

JBS USA — Florida Operations (May 2021)

JBS, the world's largest meat processing company, has significant operations in Florida. The May 2021 ransomware attack by the REvil group shut down JBS plants across the country, including Florida facilities, forcing temporary closures that affected supply chains and grocery prices. JBS ultimately paid an $11 million ransom. While the attack was national in scope, its impact on Florida's food supply chain and workforce was substantial.

Florida Healthy Kids Data Exposure (2013–2020)

Florida Healthy Kids Corporation, the state's subsidized children's health insurance program, disclosed in 2021 that a vulnerability in its web hosting platform had left applicant data exposed for approximately seven years, from 2013 to December 2020. The exposed data included Social Security numbers, dates of birth, and addresses of children and their families. An estimated 3.5 million records were potentially at risk. The extended duration of the exposure — caused by a failure in Jelly Bean Communications, the third-party hosting vendor — represented one of the longest-running known data exposures of children's information in the U.S.

Florida's Data Breach Notification Law

Florida's primary data breach law is the Florida Information Protection Act (FIPA), codified at §501.171 of the Florida Statutes. FIPA is one of the stricter state breach notification laws in the country, reflecting the state legislature's recognition of the volume of sensitive data flowing through Florida's healthcare, financial, and tourism industries.

Key FIPA Requirements

• 30-day notification deadline: Covered entities must notify affected individuals within 30 calendar days of discovering a breach — one of the shortest timelines among U.S. state laws

• Attorney General notification: If a breach affects 500 or more individuals, the entity must notify the Florida Attorney General's office within the same 30-day window

• Maximum penalty: FIPA imposes civil penalties of up to $500,000 for violations, including a tiered structure: $1,000 per day for the first 30 days after a violation, $50,000 for each subsequent 30-day period, with the $500,000 cap

• Broad definition of personal information: FIPA covers not only Social Security numbers and financial account data but also medical history, health insurance information, email credentials, and biometric data

• Credit monitoring: If Social Security numbers or financial data are compromised, the breached entity must offer affected individuals at least 12 months of credit monitoring at no cost

For a complete breakdown of Florida's compliance landscape, see our guide to Florida cybersecurity and data privacy laws.

Which Florida Industries Are Most Targeted?

While no sector is immune, certain Florida industries face disproportionate risk based on the types of data they handle, their regulatory environment, and their typical IT maturity levels.

Healthcare and Senior Care

Florida has the second-highest percentage of residents aged 65 and older in the nation. This drives an enormous healthcare and senior care sector that generates massive volumes of protected health information (PHI). Healthcare data is among the most valuable on criminal marketplaces — a single medical record can sell for $250 or more, compared to $5–$10 for a credit card number. Managed IT services for healthcare organizations are especially critical given the sensitivity of the data and the strict regulatory requirements under HIPAA.

Tourism and Hospitality

Florida welcomed over 137 million visitors in 2023, making it the most visited state in the U.S. Hotels, resorts, theme parks, restaurants, and rental car companies process staggering volumes of payment card data, loyalty program information, and personal identification data from guests. The hospitality industry's reliance on point-of-sale systems, guest Wi-Fi networks, and third-party booking platforms creates multiple attack vectors.

Financial Services and Retirement Finance

Florida's large retiree population drives a substantial wealth management, banking, and insurance industry. Retirement accounts, pension distributions, and estate planning involve highly sensitive financial data that is attractive to both cybercriminals and state-sponsored threat actors engaged in wire fraud and identity theft.

Local Government and Municipalities

As the Riviera Beach, Lake City, and Oldsmar incidents demonstrate, Florida's hundreds of municipal governments are frequent targets. Many small cities and counties operate with minimal IT staff and outdated infrastructure, making them vulnerable to ransomware, phishing, and unauthorized access to critical systems including water treatment, emergency services, and public records.

What Florida Businesses Must Do After a Breach

If your Florida business experiences a data breach, FIPA imposes specific obligations that must be met within strict timelines. Failure to comply can result in Attorney General enforcement actions and civil penalties up to $500,000.

FIPA Compliance Checklist

• Contain the breach immediately: Isolate affected systems, disable compromised accounts, and preserve forensic evidence before attempting remediation

• Conduct a thorough investigation: Determine the scope of the breach — what data was accessed, how many individuals are affected, and how the attacker gained entry

• Notify affected individuals within 30 days: Written notice must include a description of the breach, the types of data compromised, and steps the individual can take to protect themselves

• Notify the Florida Attorney General: Required if 500 or more individuals are affected — the notification must include the timeline, scope, and remediation steps taken

• Offer credit monitoring services: If Social Security numbers or financial account data were exposed, provide at least 12 months of free credit monitoring

• Notify credit bureaus: If more than 1,000 individuals are affected, you must notify the major consumer credit reporting agencies

• Document everything: Maintain detailed records of the breach, investigation, and all notifications sent — FIPA requires entities to preserve this documentation for regulatory review

• Engage legal counsel: Given the penalty structure and potential for class-action litigation, legal counsel experienced in Florida data breach law should be involved from the earliest stage

How to Protect Your Florida Business

Prevention is far less expensive than breach response. Florida businesses across all industries should implement layered security measures appropriate to the data they handle and the threats they face.

Foundational Security Measures

• Endpoint detection and response (EDR): Deploy modern EDR solutions on all workstations and servers to detect and contain threats in real time

• Multi-factor authentication (MFA): Require MFA for all remote access, email accounts, and administrative systems — the Oldsmar incident could have been prevented by basic MFA on remote desktop tools

• Employee security awareness training: Regular phishing simulations and training reduce the risk of the initial compromise vector used in the majority of Florida breaches

• Network segmentation: Separate critical systems (financial data, patient records, operational technology) from general-use networks to limit lateral movement after a breach

• Regular vulnerability assessments: Conduct quarterly vulnerability scans and annual penetration tests to identify exploitable weaknesses before attackers do

Working with a managed IT security services provider gives Florida businesses access to 24/7 monitoring, incident response capabilities, and security expertise that would be cost-prohibitive to build in-house. For a broader understanding of how outsourced IT support works, see our guide to what managed IT services include.

Frequently Asked Questions

What is Florida's data breach notification deadline?

Under the Florida Information Protection Act (FIPA, §501.171), organizations must notify affected individuals within 30 calendar days of discovering a breach. This is one of the strictest deadlines among U.S. state breach notification laws. If the breach affects 500 or more people, the Florida Attorney General must also be notified within the same timeframe.

How much can a Florida business be fined for a data breach?

FIPA imposes civil penalties of up to $500,000 for failure to comply with notification requirements. Penalties are tiered: $1,000 per day for the first 30 days after a violation, then $50,000 for each subsequent 30-day period. These fines are in addition to any costs from lawsuits, credit monitoring, forensic investigation, and business disruption.

Which Florida data breaches were the largest?

The Broward Health breach (disclosed January 2022) affected approximately 1.35 million patients, making it one of the largest healthcare breaches in state history. The Florida Healthy Kids data exposure potentially affected 3.5 million records over a seven-year period from 2013 to 2020. Both incidents involved third-party vendors with access to sensitive systems.

Are Florida municipalities especially vulnerable to ransomware?

Yes. Florida has been a national hotspot for municipal ransomware attacks. The 2019 attacks on Riviera Beach ($600,000 ransom paid) and Lake City ($460,000 ransom paid) demonstrated that small city governments with limited cybersecurity budgets are prime targets. Many Florida municipalities still rely on aging infrastructure and understaffed IT departments, creating conditions that ransomware operators actively seek out.

What should a Florida business do first after discovering a breach?

The immediate priority is containment: isolate affected systems, disable compromised credentials, and preserve forensic evidence. Do not attempt to negotiate with attackers or wipe systems before a forensic investigation. Next, engage legal counsel experienced in Florida breach law to guide FIPA-compliant notification. Begin the investigation to determine scope, and prepare to notify affected individuals and the Attorney General within 30 days.