Florida Health Practice Target of Cyberattack, PHI Exposed

July 30, 2021 - Orlando Family Physicians is notifying patients of a recent cyberattack that is impacting their protected health information (PHI.)  

The data breach impacts 447,426 individuals, according to US Department of Health and Human Services Office for Civil Rights. 

In a statement to patients on the Orlando Family Physicians website, the office states it “was the victim of a recent phishing email incident that potentially resulted in unauthorized access to personal information of four employees’ email accounts. At this time, we are not aware of any misuse of any your personal information.” 

OFP, which has several offices throughout Florida, said the cyberattack occurred on April 15.  

The notice states that “an unauthorized person accessed the email account of an OFP employee by obtaining the employee’s user ID and password through a phishing email.  We immediately took steps to contain the incident and began an investigation to determine its scope. We retained a leading cybersecurity forensics firm to assist with our investigation.” 

“As part of the investigation, we identified three additional employee email accounts that the unauthorized person accessed and began an extensive review of the affected email accounts to determine whether they contained personal information,” the notice states. “We terminated the unauthorized access to each of the four affected employee email accounts within 24 hours of the initial unauthorized access to the account.”  

Additionally, on May 21, the practice discovered that “there may have been unauthorized access to personal information contained in the four email accounts. On July 9, 2021, OFP identified the OFP patients, prospective patients, employees and other individuals whose personal information was included in the affected email accounts,” according to the statement.  

The cybercriminal’s intention was to “commit financial fraud against OFP and not to obtain personal information about the affected individuals,” the notice states. “Nonetheless, we are notifying affected individuals because of the possibility that the unauthorized person had access to personal information.” 

The data breach includes names, demographics, health information, diagnoses, providers, prescriptions, health insurance, including legacy Medicare beneficiary number derived from the individual’s Social Security number or other subscriber identification number, medical record number, patient account number, and passport number, according to the notice.  

OFP is enhancing data security and providing training to employees about email security, it stated.  

For impacted individuals, the practice is advising patients to remail vigilant by regularly reviewing account statements and credit reports.  

Impacted individuals can call 855-545-2005 with questions or concerns about the data breach.