Getty Images/iStockphoto

Florida Orthopaedic Institute Reaches $4M Settlement Over Data Breach

A 2020 data breach at Florida Orthopaedic Institute impacted 640,000 individuals and resulted in data being encrypted.

Florida Orthopaedic Institute (FOI), also known as Musculoskeletal Institute, reached a $4 million proposed settlement over a 2020 data breach. The breach was the fifth-largest of 2020 and impacted 640,000 individuals.

In June 2020, FOI disclosed that in April, a ransomware attack had encrypted data stored on its servers. The attack resulted in potential access and exfiltration of patient data, including names, Social Security numbers, birth dates, medical information, insurance plan identification numbers, claims addresses, payer identification numbers, and other personal information.

After the incident, plaintiffs sought class-action status in a lawsuit against FOI for its “failure to properly secure and safeguard protected health information” as defined by HIPAA. The plaintiffs also alleged that FOI failed to comply with industry standards and provide timely notice to impacted individuals.

The original complaint said that FOI waited more than two months after discovering the incident to notify individuals, and failed to disclose the actual date of data disclosure.

The complaint also alleged that FOI “downplayed the seriousness of the incident” by saying that “while we are not aware of the misuse of any information impacted by this incident, we are sending this letter to notify you about the incident and provide information about steps you can take to help protect your information.”

“These representations are just simple boilerplate language pulled off a common template, clearly evidencing Defendant’s lack of concern for the seriousness of the Data Disclosure—wherein hackers gained access to Defendant’s systems, encrypted that data, and, according to Defendant, likely exfiltrated that data,” the complaint stated.

FOI did not admit any wrongdoing but agreed to a $4 million settlement. Class members are eligible to receive up to $15,000 each for out-of-pocket losses traceable to the incident and $25 per hour for lost time.

Additionally, settlement class members are eligible to access identity restoration services for three years, regardless of whether they submit a claim.

Healthcare data breaches continue to impact the healthcare sector, and lawsuits have followed. Just last week, Dental Care Alliance (DCA) reached a $3 million proposed settlement over a December 2020 healthcare cyberattack that lasted for one month and impacted 1 million patients and employees. Additionally, California-based Salinas Valley Memorial Healthcare System (SVMHS) agreed to pay up to $340,000 to class members impacted by a 2020 healthcare data breach.

Next Steps

Dig Deeper on Cybersecurity strategies