Orlando Family Physicians data breach class action settlement
TopClassActions reports that a class action lawsuit against Orlando Family Physicians (OFP) has settled for an undisclosed sum. The settlement, which doesn’t include any admission of guilt by OFP, resolves claims surrounding an April 2021 data breach.
The breach reportedly occurred when four OFP employees fell prey to a phishing attack. Although the attack was discovered quickly, the threat actors were able to access accounts related to patients, prospective patients, employees, and other individuals, including name; demographic information; health information, including diagnoses, providers and prescriptions; health insurance information, including legacy Medicare beneficiary number derived from the individual’s Social Security number or other subscriber identification number; medical record number; patient account number; and passport number.
OFP reported the incident to HHS in July 2021 as affecting 447,426 patients.
The lawsuit is Lopez Morales, et al. v. Orlando Family Physicians LLC, Case No. 2021-ca-009153-o, in the Ninth Judicial Circuit Court in and for Orange County, Florida.
The official settlement site with details is at OrlandoFPSettlement.com.
DataBreaches perused the settlement agreement to see if there were any provisions relating to improving data security. There is a section of this settlement entitled Equitable Relief, with the following provisions:
2.7 Equitable Relief. For a period of 36 months following the execution of this Settlement Agreement, OFP will implement the following verifiable contractual data security procedures (“Business Practice Commitments”):
- Implementation of multi-factor authentication for all OFP remote access points, including VPN and e-mail
- Enrollment of all employees in mandatory bi-annual cyber security awareness training
- Performing quarterly phishing simulations to help employees stay vigilant of current cyber threats
- Enhancing firewall perimeter security settings by implementing geography-based blocking and website content filtering
- Configuring third-party Dark Web monitoring services
- Implementation of Endpoint Detection and Response software on all workstations/servers Improving vulnerability management by running quarterly scans, and promptly rolling out software patches