Business Associate Error Caused Data Breach Affecting 19,000 Orlando Orthopaedic Center Patients


The protected health information (PHI) of more than 19,000 patients was compromised as a result of a mistake that a transcription service vendor made while upgrading a software on a server. The patients of Orlando Orthopaedic Center in Orlando, Florida who availed healthcare services before January 2018 were impacted by the data breach.

The software upgrade by the transcription service provider lasted for the whole month of December 2017. At this time period, anybody could access the PHI retained on the server online without requiring any authorization. It was just on February 2018 when Orlando Orthopaedic Center knew about the exposure of the patients’ PHI.

After uncovering the data breach, a full investigation was launched and found that the names, birth dates, insurance details, employer information, and treatment types were viewable. Some patients’ Social Security numbers were also compromised.

It’s not certain if any unauthorized individual viewed the PHI while the server was left vulnerable. However Orlando Orthopaedic Center already informed all patients regarding the data breach by postal mail. The center mentioned that no report from the patients was received relating to the PHI misuse. There was additionally no proof found that suggest data access by unauthorized people or data theft happened.

Since unauthorized data access or data theft can’t be ruled out, the patients of Orlando Orthopaedic Center that suffered Social Security number exposure were offered credit checking and identity theft coverage services. The patients were likewise instructed to monitor their accounts and Explanation of Benefits Statements for suspicious transactions or improper use of PHI.

The transcription service provider already resolved the issue and kept all PHI protected. Orlando Orthopaedic Center stated in a press release the actions done by the vendor. Orlando Orthopaedic Center gave ongoing training on cybersecurity awareness to all hospital staff and upgraded its security options to make sure that the PHI of all patients stored on its web servers are protected.

Orlando Orthopaedic sent the data breach report on July 20, 2018 to the Department of Health and Human Services’ Office for Civil Rights specifying that the breach affected 19,101 patients. There is no reason presented why the patients and OCR were notified 5 months following the discovery of the breach. The HIPAA breach notification rules demand that notifications are issued within 60 days of discovering the breach. Hence, Orlando Orthopaedic Center violated the HIPAA.