Recently, Central Florida Inpatient Medicine reported a data security incident stemming from what appears to be a compromised employee email account. According to the CFIM, the breach resulted in the personal and protected health information of certain patients being compromised. This includes their names, addresses, Social Security numbers, financial account numbers, and medical diagnoses, among other data types. Over the past few weeks, CFIM filed official notice of the breach and sent out data breach letters to all affected patients.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Central Florida Inpatient Medicine data breach, please see our recent piece on the topic here.

What We Know About the Central Florida Inpatient Medicine Data Breach

According to a notice posted on the CFIM website, the company recently discovered that certain sensitive information pertaining to thousands of patients was compromised. While CFIM doesn’t provide details of the incident, it does note that the breach involved “access to a CFIM employee email account by an unauthorized party.”

Upon making this discovery, CFIM enlisted the assistance of cybersecurity professionals to investigate the nature and scope of the incident, as well as what, if any, patient data was leaked. On May 5, 2022, this investigation confirmed that an unauthorized party had access to the affected email account between August 21, 2021 and September 17, 2021. It was also determined that the email account provided the unauthorized party with access to patients’ personal, financial, and protected health information.

A subsequent investigation revealed that the data types leaked in the recent CFIM data breach included patients’ names, dates of birth, medical information (including diagnosis and clinical treatment information), physician name, hospital name, dates of service, health insurance information, Social Security numbers, driver’s license numbers, financial account information, and usernames/passwords. CFIM notes that not all d was included for all individuals. Secondary news sources report that the Central Florida Inpatient Medicine data breach is believed to have impacted as many as 197,733 patients.

Recently, Central Florida Inpatient Medicine posted notice of the data breach on its website and sent out data breach letters to all patients whose information was compromised as a result of the recent data security incident.

More Information About Central Florida Inpatient Medicine

Central Florida Inpatient Medicine is an independent hospitalist group based in Lake Mary, Florida. CFIM provides patients with acute care, post-acute care, podiatry, psychiatry and wound care services through its various divisions, which include Psych Health Associates (PHA), Family Podiatry of Central Florida, Inpatient Care Specialists, Cape Coral Hospitalists, and Spectrum Medical Partners. Central Florida Inpatient Medicine employs more than 125 people and generates approximately $29 million in annual revenue.

The Importance of Your Protected Health Information

The Central Florida Inpatient Medicine data breach affected a wide range of patient data, including protected health information. Protected health information refers to identifying information relating to a patient’s health condition, as well as how a patient pays for their healthcare. In order for data to be considered protected health information, the data must contain one or more identifiers that can be used to identify the patient. These identifiers include:

• Full name, or a last name with an initial;

• Any geographical identifier more specific than a state;

• Dates of treatment;

• Phone numbers;

• Fax numbers;

• Email addresses;

• Social Security numbers;

• Medical record numbers;

• Account numbers;

• Biometric identifiers, including fingerprints; and

• Full-face images or other identifying photographs.

Thus, when you hear that protected health information was exposed, it means that with a little effort, anyone who obtains that data can identify you.

Any data breach is troublesome; however, the consequences of a data breach affecting your protected health information can be severe. For example, the data obtained through a healthcare data breach often gives an unauthorized party sufficient information to steal your identity. However, identity theft in the wake of a healthcare data breach is harder to resolve and comes at a far greater cost than traditional data breaches affecting only Social Security numbers and financial information.

Aside from the typical risks of unauthorized transactions, healthcare data breaches can put your physical health at risk. For example, if a hacker sells your data to a third party, that third party can then use your information to receive medical care in your name. The person pretending to be you can then provide physicians with information about themselves that ends up in your medical record. This can result in your medical record containing inaccurate information.