An unauthorized person accessed the email accounts of Orlando Family Physicians in Florida that contain the protected health information (PHI) of 447,426 patients.
Orlando Family Physicians stated that the compromise of the first email account happened on April 15, 2021 because an employee responded to a phishing email and exposed their account login information. The provider immediately took action to stop unauthorized access and started an investigation to find out the nature and scope of the breach.
With the help of a top-rated cybersecurity forensics company, Orlando Family Physicians confirmed that three more employee email accounts were accessed by unauthorized person. External access to the four compromised email accounts had been blocked in 24 hours after the first unauthored account access.
On May 21, 2021, Orlando Family Physicians confirmed that the unauthorized person possibly accessed email messages in the email account that included patients’ PHI. A review of the email messages and attachments was done, and on July 9, 2021, Orlando Family Physicians had identified all impacted persons.
The email accounts included the personal data and PHI of present patients, prospective patients, workers, and other people. The types of data in the accounts differed from person to person and included at least one of these data elements: Names, demographic information, diagnoses, names of providers, prescription medications, medical record numbers, patient account numbers, medical insurance data (Medicare beneficiary number or another subscriber ID number), and passport numbers.
The phishing attack seems to have been executed with the goal of undertaking financial fraud towards the practice rather than acquiring patient records. Nonetheless, because unauthorized data access and exfiltration cannot be excluded, impacted persons have been instructed to exercise extreme care and carefully monitor their explanation of benefits statements and financial accounts for indications of fraudulent transactions.
Orlando Family Physicians has improved its technical security procedures after the breach and additional training on email security is being given to its employees.