Tampa, Florida-based Florida Orthopaedic Institute has agreed to pay patients $4 million for a 2020 data breach.
Florida Orthopaedic Institute is the largest orthopedic group in Florida. In April 2020, Florida Orthopaedic Institute detected a ransomware attack. After a third-party forensic investigation, Florida Orthopaedic Institute learned that protected health information may have been exposed or stolen during the attack.
In June 2020, the Florida Orthopaedic Institute informed 640,000 patients about the data breach. For OTW’s original coverage of the ransomware attack, see “Florida Orthopaedic Institute Victim of Ransomware Attack.”
Within a short time of sending out the notification of the data breach, a lawsuit was filed in the U.S. District Court for the Middle District of Florida. It alleged that Florida Orthopaedic Institute, per filings, was “lackadaisical, cavalier, reckless, or in the very least, negligent” with respect to patient privacy. The lawsuit included a number of other allegations as well.
Florida Orthopaedic Institute has not admitted any wrongdoing. However, to resolve the claims, Florida Orthopaedic Institute agreed to pay $4 million. Per the proposed settlement, patients who were notified about the data breach can submit a claim for a cash payment of up to $15,000 for out-of-pocket losses as well as for other reimbursements and services.
Florida Orthopaedic Institute isn’t the first hospital or clinic that has had to pay for cyber-attacks. Over the past few years, OTW has been documenting lawsuits against providers over data breaches. For OTW’s previous coverage of cyber-attacks that have cost clinics, see “Victims Can Sue Ortho Clinics if Data Hacked,” “Banner Health Agrees to Pay $6 Million for Data Breach,” and “Four Patients Sue DCH Health System After Ransomware Attack.”
Healthcare data breaches of 500 or more records are reported to the Department of Health and Human Services. There are 884 data breaches from the past 24 months that the Office for Civil Rights is currently investigating. What will these data breaches cost providers?
