Cyber Incident Victim: iRise Florida Spine and Joint Institute

The iRise Florida Spine and Joint Institute experienced a data breach involving unauthorized access to an employee email account containing protected health information. The incident occurred between February 24, 2021, and February 26, 2021, when an unauthorized individual gained access to the account. Forensic investigations confirmed this three-day window of compromise. A subsequent comprehensive review of emails and attachments within the account, completed by November 22, 2021, determined that 61,595 patients had their information exposed. The compromised data included names, dates of birth, diagnoses, clinical treatment details, physician and/or hospital names, dates of service, and health insurance information. For a limited subset of individuals, additional sensitive data was exposed, including Social Security numbers, driver's license numbers, financial account information, credit card numbers, and usernames with passwords.

iRise Florida Spine and Joint Institute notified affected individuals following the completion of the data review. The organization offered a 12-month complimentary credit monitoring service specifically to those whose Social Security numbers were exposed. In response to the breach, iRise conducted an internal review of its email security protocols and implemented additional technical safeguards, including the adoption of multifactor authentication. The workforce received supplementary training focused on email security practices to reinforce data protection measures. The incident did not involve system-wide network intrusion but was confined to the compromise of a single employee email account during the identified three-day period.