Business Associate Error Leads to 19,000-Record Breach at Orlando Orthopaedic Center

by | Aug 3, 2018

A mistake has resulted in the exposure of more than 19,000 patients’ protected health information (PHI) took place during a software upgrade on a server owned by a transcription service provider.

Patients impacted by the breach had attended Orlando Orthopaedic Center clinics in Orlando, Florida before January 2018.

The software upgrade was being installed in December 2017 and throughout the month, PHI stored on the server became obtainable online without any need for authentication. Orlando Orthopaedic Center only became concious of the exposure of patients’ PHI in February 2018.

Following the discovery of the breach, a full investigation took place. DUring this it was found that names, dates of birth, insurance information, employer details, and treatment types were accessible. A small  number of patients also had their Social Security numbers impacted.

It is not known whether any PHI was accessed by unauthorized people during the time that the protections were disabled. Orlando Orthopaedic Center said it has not made aware of any PHI has being misused and nothing to suggest unauthorized access or data theft has been uncovered; however, data theft and unauthorized access could not be eliminated.

Credit monitoring and identity theft protection services have been made available to all patients whose Social Security number was impacted. All patients have been warned to review their accounts and Explanation of Benefits Statements for any sign of inappropriate use of their PHI and have now been alerted of the breach by mail.

Orlando Orthopaedic Center stated in a new release that its vendor has rectified the issue and all PHI has been secured. Ongoing cybersecurity awareness training is being given to all Orlando Orthopaedic Center staff and its own security solutions are regularly refreshed to ensure all PHI stored on its servers and endpoints remains safe.

The breach report filed with to the Department of Health and Human Services’ Office for Civil Rights (OCR) on July 20, 2018 states 19,101 patients had their PHI exposed.

It is not known why it took five months from the discovery of the breach to sending out notifications and informing OCR when HIPAA requires notifications to be broadcast within 60 days of the identification of a breach.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy