2021 hack of 447,000 Orlando Family Physicians individuals’/patients’ data results in potential $1.5 million settlement
Kyler Kent CISSP 
orlando family physicians logo
(image source: Orlando Family Physicians, 2016)
One-sentence summary:
In April 2021, Orlando Family Physicians suffered a data breach via a successful phishing attack that resulted in the breach of over 447,000 individuals and patients and a potential $1.5 million settlement.
Who was involved?
Orlando Family Physicians, LLC, a threat actor, and 447,426 individuals and patients.
What was the timeline?
April 15, 2021: Breach starts, and OFP quickly detects the breach
April 16, 201: Breach ends
May 21, 2021: Orlando Family Physicians discovers the scope of the data breach
July 9, 2021: Orlando Family Physicians begins patient notification
July 20, 2021: Orlando Family Physicians posts breach notice on their website and submits the breach notification to HHS
September 16, 2021: Class action lawsuit is filed against Orlando Family Physicians in Orange County, Florida
February 03, 2023: Settlement for aggregate cap of $1.5 million receives preliminary approval
What occurred?
An Orlando Family Physicians employee was successfully phished via email by an attacker, who laterally moved to three other users’ accounts to “commit financial fraud against OFP” rather than steal individuals’ or patients’ data (Orlando Family Physicians, 2021, paras. 2-3). OFP contained the incident within 24 hours (Orlando Family Physicians, 2021, para. 2). Nonetheless, the PII or PHI of over 447,426 individuals and patients was breached and included: “name; demographic information; health information, including diagnoses, providers and prescriptions; health insurance information, including legacy Medicare beneficiary number derived from the individual’s Social Security number or other subscriber identification number; medical record number; patient account number; and passport number” (HHS, 2021; Orlando Family Physicians, 2021, para. 3). OFP was sued via class action in September 2021 and appears to have settled on a preliminary basis in February 2023 for an aggregate cap of $1.5 million (UniCourt, 2022; LOPEZ MORALES, ALMA et al. vs. ORLANDO FAMILY PHYSICIANS LLC, 2023, p. 7).
Estimated costs:
Associated incident response costs, “leading cybersecurity forensics firm,” M-F call center, breach notification costs, legal costs, potential $1.5 million settlement cost
Involved laws:
Federal: HIPAA and HITECH
Root cause:
Email phishing
Lessons learned:
OFP has self-reported that they are doing additional training on “email security.” Thus, user awareness training cannot be understated in this situation. User awareness training is critical for any user with any public-facing access (e.g., email, phone, etc.). Mail gateways must also be employed and synchronized with threat intelligence sources to quickly detect and quarantine malicious links/files and flag/remove suspected phishing emails. Having a 24/7 SOC to monitor inbound email traffic and potentially flag suspicious activity through the entire kill chain/MITRE framework can also help quickly stop or contain incidents.
Example solutions:
User Awareness:
Knowbe4 https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
Proofpoint https://www.proofpoint.com/us/products/security-awareness-training
Email Gateway:
Barracuda https://www.barracuda.com/products/email-protection/email-security-gateway
Proofpoint https://www.proofpoint.com/us/threat-reference/email-gateway
Sources:
HHS. (2021). Research Report. In Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. U.S. Department of Health and Human Services Office for Civil Rights. Retrieved March 20, 2023, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
LOPEZ MORALES, ALMA et al. vs. ORLANDO FAMILY PHYSICIANS LLC, Case No.: 2021-ca-009153-o (Ora. Co. 2023). https://angeion-public.s3.amazonaws.com/www.OrlandoFPSettlement.com/docs/166105841%20Order%20Granting%20Preliminary%20Approval.pdf
Orlando Family Physicians. (2016, September). logo_ofp_facebook.jpg. orlandofamilyphysicians.com. https://orlandofamilyphysicians.com/wp-content/uploads/2016/09/logo_ofp_facebook.jpg
Orlando Family Physicians. (2021, July 20). Notice of Data Event – Orlando Family Physicians. Retrieved March 20, 2023, from https://orlandofamilyphysicians.com/notice/
UniCourt. (2022, February 23). LOPEZ MORALES, ALMA et al. vs. ORLANDO FAMILY PHYSICIANS LLC. Retrieved March 20, 2023, from https://unicourt.com/case/fl-ora-lopez-morales-alma-et-al-vs-orlando-family-physicians-llc-1493711?init_S=chup_ltst
Commentary:
Every cybersecurity professional appreciates the level of transparency on Orlando Family Physician’s website regarding how they got hacked and the attacker’s motives.
