Business Associate Error Leads to 19,000-Record Breach at Orlando Orthopaedic Center

by Ryan Coyne | Aug 3, 2018

A mistake has resulted in the exposure of more than 19,000 patients’ protected health information (PHI) took place during a software upgrade on a server owned by a transcription service provider.

Patients impacted by the breach had attended Orlando Orthopaedic Center clinics in Orlando, Florida before January 2018.

The software upgrade was being installed in December 2017 and throughout the month, PHI stored on the server became obtainable online without any need for authentication. Orlando Orthopaedic Center only became concious of the exposure of patients’ PHI in February 2018.

Following the discovery of the breach, a full investigation took place. DUring this it was found that names, dates of birth, insurance information, employer details, and treatment types were accessible. A small number of patients also had their Social Security numbers impacted.

It is not known whether any PHI was accessed by unauthorized people during the time that the protections were disabled. Orlando Orthopaedic Center said it has not made aware of any PHI has being misused and nothing to suggest unauthorized access or data theft has been uncovered; however, data theft and unauthorized access could not be eliminated.

Credit monitoring and identity theft protection services have been made available to all patients whose Social Security number was impacted. All patients have been warned to review their accounts and Explanation of Benefits Statements for any sign of inappropriate use of their PHI and have now been alerted of the breach by mail.

Orlando Orthopaedic Center stated in a new release that its vendor has rectified the issue and all PHI has been secured. Ongoing cybersecurity awareness training is being given to all Orlando Orthopaedic Center staff and its own security solutions are regularly refreshed to ensure all PHI stored on its servers and endpoints remains safe.

The breach report filed with to the Department of Health and Human Services’ Office for Civil Rights (OCR) on July 20, 2018 states 19,101 patients had their PHI exposed.

It is not known why it took five months from the discovery of the breach to sending out notifications and informing OCR when HIPAA requires notifications to be broadcast within 60 days of the identification of a breach.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter