Cyber Incident Victim: Orlando Health Physicians
Date:
Apr 2021
Location:
United States of America
Summary
A Florida medical practice experienced a data breach after unauthorized individuals gained access to four employee email accounts via phishing, compromising credentials. The organization terminated the illicit access within a day and later determined that sensitive information within the accounts was potentially exposed. The breach impacted approximately 447,000 individuals, including patients and employees, with compromised data encompassing names, health insurance details, Social Security and passport numbers, and medical information. Following the incident, the practice strengthened its security protocols and expanded employee training on email security to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 15, 2021, an unauthorized party gained access to an employee email account at Orlando Family Physicians through a phishing attack that successfully obtained the employee’s user ID and password. Following this initial breach, the Florida-based physician practice discovered three additional employee email accounts had also been compromised. The practice terminated unauthorized access to all four accounts within 24 hours of detection, according to its July 20 news release. An investigation launched after the incident revealed the attackers had infiltrated the email systems via deceptive phishing emails. While the immediate containment occurred in April, the full scope of data exposure remained unclear until subsequent forensic analysis.
The investigation concluded on May 21, 2021, that patient and other sensitive data within the breached email accounts may have been accessed or exfiltrated. By July 9, the practice completed identifying affected individuals, including 447,000 patients, prospective patients, employees, and others whose information resided in the compromised accounts. Exposed data encompassed names, health insurance details, Social Security numbers, passport numbers, and medical-related information. No specific evidence confirmed actual misuse of the data. In response, Orlando Family Physicians implemented enhanced security protocols and expanded employee training programs focused on email security to reduce future phishing risks. The practice notified impacted parties but did not disclose whether regulatory fines or legal actions resulted from the breach.