A Florida healthcare group has settled a class-action lawsuit after thieves stole more than 447,000 patients’ names, Social Security numbers, and sensitive medical information, from its servers.
Under the settlement [PDF], Orlando Family Physicians, which operates 10 clinics in central Florida, will reimburse affected patients who submit a claim by July 1, and provide them with two years of free credit monitoring. Depending on what type of private data the crooks stole, patients may receive up to $225 or, for those whose SSNs were swiped, up to $7,500.
Also under the settlement the physicians group doesn’t admit any culpability following the data heist.
The theft occurred in April 2021 after criminals gained access to four employees’ email accounts via a phishing scam, according to court documents [PDF].
Orlando Family Physicians said it “immediately” took steps to contain the intrusion and hired a “leading” security shop to determine the scope of the intrusion.
A few months later, the health group posted a notice on its website and sent letters to individuals whose personal information was exposed.
This included names; demographic information; health information, including diagnoses, providers and prescriptions; health insurance information, including legacy Medicare beneficiary number derived from the individual’s Social Security number or other subscriber identification number; medical record numbers; patient account numbers; and passport numbers.
“However, the available forensic evidence indicates that the unauthorized person’s purpose was to commit financial fraud against OFP and not to obtain personal information about the affected individuals,” the physicians