Business Associate Error Leads to 19,000-Record Breach at Orlando Orthopaedic Center

A mistake has resulted in the exposure of more than 19,000 patients’ protected health information (PHI) took place during a software upgrade on a server owned by a transcription service provider.

Patients impacted by the breach had attended Orlando Orthopaedic Center clinics in Orlando, Florida before January 2018.

The software upgrade was being installed in December 2017 and throughout the month, PHI stored on the server became obtainable online without any need for authentication. Orlando Orthopaedic Center only became concious of the exposure of patients’ PHI in February 2018.

Following the discovery of the breach, a full investigation took place. DUring this it was found that names, dates of birth, insurance information, employer details, and treatment types were accessible. A small  number of patients also had their Social Security numbers impacted.

It is not known whether any PHI was accessed by unauthorized people during the time that the protections were disabled. Orlando Orthopaedic Center said it has not made aware of any PHI has being misused and nothing to suggest unauthorized access or data theft has been uncovered; however, data theft and unauthorized access could not be eliminated.

Credit monitoring and identity theft protection services have been made available to all patients whose Social Security number was impacted. All patients have been warned to review their accounts and Explanation of Benefits Statements for any sign of inappropriate use of their PHI and have now been alerted of the breach by mail.

Orlando Orthopaedic Center stated in a new release that its vendor has rectified the issue and all PHI has been secured. Ongoing cybersecurity awareness training is being given to all Orlando Orthopaedic Center staff and its own security solutions are regularly refreshed to ensure all PHI stored on its servers and endpoints remains safe.

The breach report filed with to the Department of Health and Human Services’ Office for Civil Rights (OCR) on July 20, 2018 states 19,101 patients had their PHI exposed.

It is not known why it took five months from the discovery of the breach to sending out notifications and informing OCR when HIPAA requires notifications to be broadcast within 60 days of the identification of a breach.