Third-party vendor error exposes data of 19K patients for 2 months

Orlando Orthopaedic’s transcriptionist vendor misconfigured access to a database during a software upgrade. The health center waited nearly six months to report.
By Jessica Davis
01:37 PM
Share
exterior view of Orlando Orthopaedic Center in Florida

A transcriptionist vendor for Orlando Orthopaedic Center made an error during a software upgrade, which resulted in the exposure of 19,101 patient records for about two months.

All patients who received medical services at any of the health center’s clinics prior to January 2018 were included in the breach.

The vendor upgraded its software in December 2017 throughout the month. But in the process, the server was left open to the public and allowed access without authentication. Orlando Orthopaedic became aware of the breach in February 2018.

[Also: The biggest healthcare data breaches of 2018 (so far)]

The official statement did not explain why it took the organization nearly six months to notify patients. Under HIPAA, organizations are given just 60 days to notify the U.S. Department of Health and Human Services from the time of breach discovery.

The investigation revealed patient names, dates of birth, insurance details, employers and medical treatment were all included in the exposed data. Social Security numbers were breached for a “limited number of patients.” Officials could not rule out theft or unauthorized access.

The vendor has since corrected the issue, and all patients are being offered a year of free credit monitoring.

The breach highlights two important issues: timeliness of breach reporting and third-party risk management. While investigations can often take numerous months to complete, getting ahead of the notification can improve the response from the public.

Not only that, but the HHS Office of Civil Rights takes delayed notification very seriously. Presence Health was hit with a $475,000 fine in January 2017 for waiting about 100 days to report a breach. The fine is pretty severe, given Presence was just 40 days late.

Orlando Orthopaedic’s breach also serves as a reminder to review third-party vendor management. Even when the business associate causes the breach, it’s still the healthcare provider that is held accountable. 

Data breaches will be among the pressing security topics experts address at the upcoming HIMSS Healthcare Security Forum in Boston, Oct. 15-16. Register here. 

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com