914,000 Patients Impacted by Hacking of Florida Orthopedic Institute and Benefit Recovery Specialists

The protected health information of 914,000 patients has potentially been compromised in two hacking incidents: A ransomware attack on the Florida Orthopedic Institute, one of the largest providers of orthopedic services in the state, and a malware attack on the billing and collection agency Benefit Recovery Specialists.

Florida Orthopedic Institute Ransomware Attack

Tampa Bay, FL-based Florida Orthopedic Institute (FOI) has started notifying 640,000 patients that some of their protected health information may have been obtained by hackers in a recent ransomware attack. The attack occurred on or around April 9, 2020 and resulted in the encryption of data stored on its servers. The subsequent investigation confirmed on May 6, 2020 that patient data was potentially accessed or stolen in the attack.

FOI was able to recover the encrypted data and steps have since been taken to improve security to prevent further attacks in the future. The types of data potentially obtained by the hackers prior to the deployment of ransomware included patient names, dates of birth, social security numbers, medical information related to appointment times, diagnosis codes, payment amounts, insurance plan identification numbers, physician locations, payer identification numbers, claims addresses, and/or FOI claims histories. FOI offered affected individuals complimentary credit monitoring and identity theft protection services for 12 months.

An attorney from the law firm Morgan & Morgan filed a lawsuit against FOI seeking at least $99 million in damages for victims of the breach, one of whom was a paralegal at Morgan & Morgan. The lawsuit alleges FOI was negligent and failed to properly secure and safeguard patients’ protected health information. The lawsuit seeks damages for victims, extended membership to credit monitoring services, and requires FOI to strengthen security to prevent further data breaches.

The breach ranks as the second largest healthcare data breach to be reported in 2020.

Benefit Recovery Specialists Malware Attack

The Texas-based billing and collection agency, Benefit Recovery Specialists Inc. (BRSI), a business associate used by several healthcare organizations, has announced that a hacker stole employee credentials and gained access to systems containing the protected health information of 274,000 patients of its healthcare provider clients. The hacker also downloaded malware on its servers.

The malware was detected by BRSI on April 30, 2020 and the investigation concluded the hacker had access to its systems for 10 days from April 20, 2020, during which time the attacker had access to files containing patients’ protected health information and may have acquired some of that information.

The types of data potentially compromised in the attack was limited to names, dates of birth, policy numbers, provider names, diagnosis codes, procedure codes, and dates of service. A subset of patients also had their Social Security number exposed.

The data breach ranks as one of the top 5 healthcare data breaches to be reported so far in 2020.