19,000 Patients of Orlando Orthopaedic Center Affected by Transcription Service Provider Breach

The protected health information (PHI) of over 19,000 patients was exposed due to an error by a transcription service provider during a software upgrade on one of its servers. The health records of patients of Orlando Orthopaedic Center patients in Orlando, Florida were exposed throughout December 2017.

Protections were accidentally removed which allowed data on the server to be accessed over the Internet without the need for authentication. Orlando Orthopaedic Center became aware of the exposure of patients’ PHI in February 2018.

The discovery of the breach prompted a full investigation, which revealed names, dates of birth, insurance information, employer details, and treatment types were accessible. A limited number of patients also had their Social Security numbers exposed. Patients affected by the breach had received medical services at Orlando Orthopaedic Center prior to January 2018. It is not clear if any unauthorized persons accessed the PHI during the time when the server was left unprotected, although the healthcare provider has not been notified of any misuse of patient data.

Because data theft or unauthorized data access cannot be ruled out, Orlando Orthopaedic Center offered credit monitoring and identity theft protection services to all patients who had their Social Security number exposed. Patients have been advised to check their Explanation of Benefits statements and accounts for signs of misuse of of their PHI.

The transcription service vendor has corrected the problem and has secured its server and all PHI. Orlando Orthopaedic Center has also taken steps to ensure no further breaches are experienced, which include providing ongoing cybersecurity awareness training for all staff and the implementation of additional security solutions to further protect the confidentiality of protected healoth information.

On July 20, 2018, Orlando Orthopaedic submitted its breach report to the Department of Health and Human Services’ Office for Civil Rights which indicates 19,101 patients were affected by the breach.