August 3, 2018
A mistake made by a transcription facility supplier in the course of a software upgrade on a server has led to the disclosure of over 19,000 patients’ protected health information (PHI).
Patients affected by the break had received medical facilities at Orlando Orthopaedic Center clinics in Orlando, Florida before January 2018.
The software upgrade happened in December 2017 and all through the month, PHI stowed on the server became available over the Internet without any requirement for verification. Orlando Orthopaedic Center only became conscious of the disclosure of patients’ PHI in February 2018.
The discovery of the break prompted a complete inquiry, which exposed names, employer details, insurance information, dates of birth, and treatment types were available. A limited number of patients also had their Social Security numbers disclosed.
It is unclear whether any PHI was retrieved by illegal people during the time that the safeguards were disconnected. Orlando Orthopaedic Center said it hasn’t received any reports from patients that show PHI has been abused and no proof of illegal access or data thievery has been found; nevertheless, data thievery and illegal access could not be ruled out.
Credit checking and identity theft protection facilities have been offered to all patients whose Social Security number was disclosed. All patients have been suggested to check their accounts and Explanation of Benefits Statements for any indication of fake use of their PHI and have now been informed of the break by post.
Orlando Orthopaedic Center detailed in a new release that its seller has rectified the issue and all PHI has been safeguarded. Unending cybersecurity consciousness teaching is provided to all Orlando Orthopaedic Center workforce and its own safety solutions are regularly revised to make sure all PHI stowed on its servers and endpoints remains safe.
The break report submitted to the Division of Health and Human Services’ Office for Civil Rights on July 20, 2018 shows 19,101 patients had their PHI disclosed.
It is not clear why it took 5 months from the discovery of the break to issuing notices and notifying OCR when HIPAA needs notices to be issued within 60 days of the discovery of a break.