Cyber Incident Victim: Family Physicians Group

Family Physicians Group, a large Orlando-based medical practice recently acquired by Humana, experienced a privacy breach potentially affecting 8,400 patients due to a phishing attack targeting an employee's email account. The unauthorized access occurred between August 7 and August 21, 2018, when the organization discovered the security incident and initiated containment measures. The compromised email account contained protected health information, though the specific data types exposed were not detailed in public disclosures. Upon detection on August 21, the organization secured the affected email account to prevent further unauthorized access and launched an internal investigation to determine the breach's scope and impact. The forensic analysis confirmed that patient information may have been exposed during the 14-day access period, prompting regulatory compliance actions.

The medical practice retained external cybersecurity experts to assist with the investigation and remediation efforts following the phishing incident. On December 28, 2018, Family Physicians Group issued a news release disclosing the breach and began notifying all potentially affected individuals through written correspondence. The notifications advised patients about the potential exposure of their personal health information and outlined steps taken to address the security vulnerability, though no credit monitoring or identity protection services were mentioned as being offered. The breach occurred shortly before Humana's acquisition of the practice, though there was no indication the new ownership structure influenced either the attack vector or response timeline. The incident highlighted risks associated with email-based threats in healthcare organizations handling sensitive patient data.