Florida Orthopaedic Institute data breach involved leak of patients’ data and encrypted data stored on their servers. A class-action lawsuit was filed, seeking at least $99 million on behalf of patients and former patients. FOI is a conglomerate of orthopaedic offices based in Tampa Bay, Florida.
On April 9, 2020 Florida Orthopaedic Institute discovered a ransomware attack that had encrypted company’s data. The company engaged an external forensic expert. By May 6, 2020 it was clear that personal information of Florida Orthopaedic Institute patients has been accessed or taken.
FOI data breach leaks patients’ data
The compromised information may include:
- patients’ names,
- dates of birth,
- Social Security numbers,
- medical information related to appointment times,
- physician locations,
- diagnosis codes,
- payment amounts,
- insurance plan identification numbers,
- payer identification numbers,
- claims addresses,
- Florida Orthopaedic Institute claims history.
Florida Orthopaedic Institute noted is was not aware of any misuse of the information. They notified all the affected patients and offered free credit monitoring services. However, according to ABC News, several patients received a letter from Florida Orthopedic Institute only on June 19 — two month after the breach.
Following the Florida Orthopaedic Institute data breach, they updated security procedures: “implemented a more robust antivirus program, additional firewalls, reduced external access, and implemented additional auditing and tracking of external access”. They also established a call center.
A $99 million class-action follows
Attorney John Yanchunis of Morgan & Morgan filed the lawsuit against the Florida Orthopedic Institute, seeking at least $99 million on behalf of patients and former patients citing a “failure to properly secure and safeguard protected health information,” according to the complaint filed June 30.
“If you retain this information and you lose it, you are responsible for the repercussions of its loss”John Yanchunis, Morgan & Morgan
The filed case seeks long-term identity theft protection for patients, payment for victims and a court order to force the medical group to strengthen its cybersecurity methods going forward. Morgan & Morgan are also concerned that notification of the patients took almost two month.