Orlando Health is committed to protecting the confidentiality and security of our patients’ information. Regrettably, we recently identified and addressed a security incident that may have involved some of that information. On August 5, 2022, Orlando Health’s ongoing investigation into an email compromise incident determined that an employee’s email account was subject to unauthorized access between July 5, 2022 and July 13, 2022. Based on the role of the employee, there was no expectation that the account would contain patient information. Upon learning of the incident, Orlando Health immediately took steps to secure the employee’s account and launched an investigation with the assistance of a forensic firm. The investigation was unable to determine whether any emails or attachments in the email account were in fact actually viewed or accessed by any unauthorized person.
Out of an abundance of caution, Orlando Health initiated a review of the contents of the account to identify what information it contained. This review is ongoing. However, on or around September 19, 2022, Orlando Health identified emails and attachments in the account containing certain patients’ information including demographic and clinical information, and, in some instances, health insurance ID numbers and/or Social Security numbers.
This incident did not affect all Orlando Health patients, but only a limited number of those whose information was included in the email account.
Although there is no certainty that this patient information was viewed/accessed by an unauthorized individual or that the purpose of the incident was to view email contents, on November 18, 2022, Orlando Health began mailing letters to individuals whose information has been identified thus far. Upon completion of its ongoing review, Orlando Health will mail letters to additional individuals for whom it has sufficient contact information. Orlando Health has also established a dedicated, toll-free call center to answer questions that individuals may have about the incident, available at 1-800-482-2349, Monday through Friday, from 9:00 a.m. to 6:00 p.m. Eastern Time. For those whose Social Security numbers are included in the email account, Orlando Health is offering complimentary credit monitoring and identity protection services. Orlando Health also recommends that affected individuals review statements they receive from their health insurers or healthcare providers. If they see charges for services they did not receive, they should contact the insurer or provider immediately.
We regret any concern or inconvenience this incident may cause. We remain committed to protecting the confidentiality and security of our patients’ information. To help prevent something like this from happening in the future, we are reinforcing education with our staff and implementing additional security enhancements to our email environment.