Maryland Ortho Practice Data Breach Exposes Over 125,000 People
Bethesda, Maryland-based The Centers for Advanced Orthopaedics (CAO) has notified 125,291 patients and CAO health plan members of a “data security incident” involving their protected health information.
The yearlong data security incident began in October 2019 and lasted until September 2020 when CAO detected “unusual activity in its email environment.” CAO then launched an investigation. With the aid of cybersecurity experts, CAO was able to determine that “multiple employee email accounts were subject to unauthorized access” and “certain emails therein were accessible to the responsible cybercriminal as a result.”
It was not until late January 2021 that CAO established that “protected health information was contained in emails accessible to the cybercriminal.” Two months later, CAO began mailing notification letters and notified the Department of Health and Human Services’ (HHS) Office for Civil Rights.
The protected health information varies by person and according to the notice, CAO “cannot confirm whether this protected health information was actually accessed or acquired by the responsible cybercriminal.”
The notice indicates that for most patients protected health information included “medical diagnosis and treatment information and date of birth.” However, for a subset of patients, “accessible protected health information” also included “one or more of the following: Social Security number, driver’s license number, passport number, financial account information, payment card information, or email/username and password.”
Potentially exposed protected health information is different for employees and dependents on CAO health plans. For these individuals, protected health information included “date of birth, medical diagnosis and treatment information, Social Security number, and driver’s license number.” For a subset of this group, “accessible protected health information” also included “one or more of the following: passport number, financial account information, payment card information, or email/username and password.”
In 2021, 167 data breach incidences affecting 500 or more people have been reported to HHS. These incidences have affected more than 12,444,700 individuals. CAO’s is the 16th largest reported this year.