Orlando Family Physicians – Notice of Security Incident

July 20, 2021

At Orlando Family Physicians (OFP), the confidentiality and security of your health and other personal information is important to us, and we are committed to protecting it.  We are posting this notice to let you know that OFP was the victim of a recent phishing email incident that potentially resulted in unauthorized access to personal information of four employees’ email accounts.  At this time, we are not aware of any misuse of any your personal information.

WHAT HAPPENED?

On April 15, 2021, an unauthorized person accessed the email account of an OFP employee by obtaining the employee’s user ID and password through a phishing email.  We immediately took steps to contain the incident and began an investigation to determine its scope. We retained a leading cybersecurity forensics firm to assist with our investigation.  As part of the investigation, we identified three additional employee email accounts that the unauthorized person accessed and began an extensive review of the affected email accounts to determine whether they contained personal information. We terminated the unauthorized access to each of the four affected employee email accounts within 24 hours of the initial unauthorized access to the account.

On May 21, 2021, OFP discovered that there may have been unauthorized access to personal information contained in the four email accounts. On July 9, 2021, OFP identified the OFP patients, prospective patients, employees and other individuals whose personal information was included in the affected email accounts.  However, the available forensic evidence indicates that the unauthorized person’s purpose was to commit financial fraud against OFP and not to obtain personal information about the affected individuals.  Nonetheless, we are notifying affected individuals because of the possibility that the unauthorized person had access to personal information.

WHAT INFORMATION WAS INVOLVED?

The personal information contained in the affected employees’ email accounts included the following types of information about the affected individuals, but not all of the types of information were present for each individual: name; demographic information; health information, including diagnoses, providers and prescriptions; health insurance information, including legacy Medicare beneficiary number derived from the individual’s Social Security number or other subscriber identification number; medical record number; patient account number; and passport number.

WHAT WE ARE DOING

We have enhanced our data security measures to prevent the occurrence of a similar event in the future.  We are also providing supplemental training to our employees on the importance of email security.

WHAT YOU CAN DO

We encourage you to remain vigilant for threats of fraud and identity theft by regularly reviewing your account statements and credit reports. We also recommend reading account statements from your health care providers, explanations of benefits from your health plan and other documents related to medical services to make sure they do not include services you did not receive.

FOR MORE INFORMATION

If you have any questions or concerns about the incident, please contact us toll-free by calling (855) 545-2005.

Para obtener más información en español haga click acá: orlandofamilyphysicians.com/aviso