On July 3, 2015, Orlando Health reported a (now former) employee illegally accessed the medical records of up to 3,200 patients while employed at the hospital. The data breach was discovered on May 27, 2015, although it took just over a month for breach notices to be issued. The healthcare provider started sending notifications to patients yesterday, according to the Orlando Sentinel.
An investigation was immediately launched upon discovery of the data breach, which rapidly established information had been improperly accessed by the employee. The healthcare provider terminated the employee’s work contract, and the matter has been reported to law enforcement officers.
This is not the first data breach to be suffered by Orlando Health. Another employee was discovered to have improperly accessed patient records in February 2013. In March of last year the company lost a flash drive containing the medical records of 586 children treated at the company’s Arnold Palmer Medical Center. More recently, just two months ago, patient records were found in a neighborhood driveway.
Breach Notification Delay Could Result in State Enforcement Action
After suffering so many data breaches, Orlando Health’s breach response procedures should be tried and tested; however the healthcare provider waited more than a month to issue breach notices. Under HIPAA regulations, all covered entities have up to 60 days to issue breach notices to victims and alert the media and Department of Health and Human Services’ Office for Civil Rights.
However, Florida data breach laws require healthcare providers to report data breaches to the state Attorney General within 30 days of a data breach occurring, unless there is deemed to be no risk of the data being used for fraudulent purposes.
A statement released by Orlando Health said the investigation determined that “records were improperly accessed but there is no evidence that any data has been copied or used to commit fraud.”
A breach notice is required under HIPAA Rules and this has been issued well within the allowable timeframe, but the delay could potentially violate data breach laws in Florida.
Florida Hospitals Targeted by Tax Fraudsters
A number of Florida hospital employees have been caught snooping on patient records in recent months. Healthcare data carries a high value on the black market as the records can be used to commit identity, medical and insurance fraud. Criminals are often able to run up many thousands of dollars of debts before the crimes are discovered.
In Florida, data is often stolen for the purpose of filing fake tax returns in the names of victims. In this case, that task would be difficult as only the last four digits of Social Security numbers were viewable. However, there is still a risk of the victims suffering identity fraud as a result of the breach.
The data viewed included the medical insurance information of around 100 patients, adding a risk of insurance fraud for those individuals. Other information exposed included the names of patients, addresses, dates of birth, medical tests taken, and the results of those tests, along with some clinical information.
The patients affected have all previously visited either the Winnie Palmer Hospital for Women & Babies or the Dr. P. Phillips Hospital. A small percentage of the records related to patients of the Orlando Regional Medical Center. The records corresponded to patients who received medical services between January 2014 and May 2015.
The healthcare provider has set up a dedicated helpline for breach victims and will be offering support services, although it has not been announced whether the cost of credit monitoring and credit protection will be covered by Orlando Health.