Orlando Family Physicians Experiences Email Phishing Incident

ORLANDO, Fla.--(BUSINESS WIRE)--Orlando Family Physicians, LLC (OFP), a physician practice located in Orlando, was the victim of a phishing email that resulted in unauthorized access to four employee email accounts. Importantly, OFP is not presently aware of any misuse of the personal information about patients or other individuals contained in the affected email accounts. OFP has sent this press release to meet its obligations under federal and state law.

On April 15, 2021, an unauthorized person accessed the email account of an OFP employee by obtaining the employee’s user ID and password through a phishing email. OFP immediately took steps to contain the incident and began an investigation to determine the scope of the incident. OFP retained a leading cybersecurity forensics firm to assist with its investigation and identified three additional employee email accounts that the unauthorized person accessed. OFP terminated the unauthorized access to each of the four affected employee email accounts within 24 hours of the initial unauthorized access to the account.

On May 21, 2021, OFP determined that there may have been unauthorized access to personal information contained in the four email accounts. On July 9, 2021, OFP identified the OFP patients, prospective patients, employees and other individuals whose personal information was included in the affected email accounts. The email accounts included the following types of personal information, but not all of the types were present for each affected individual: name; demographic information; health information, including diagnoses, providers and prescriptions; health insurance information, including legacy Medicare beneficiary number derived from the individual’s Social Security number or other subscriber identification number; medical record number; patient account number; and passport number.

The available forensic evidence clearly indicates that the unauthorized person’s purpose was to commit financial fraud against OFP and not to obtain any personal information about the affected individuals. Nonetheless, OFP notified the affected individuals of the incident because of the possibility of unauthorized access to their personal information. To prevent similar incidents in the future, OFP enhanced its technical security measures and is providing supplemental training to OFP employees regarding the importance of email security.

OFP encourages affected individuals to remain vigilant for identity theft by regularly reviewing their account statements from their health care providers, explanations of benefits from their health plan and other documents related to medical services. Affected individuals with questions or concerns regarding this incident may contact OFP toll-free by calling (855) 545-2005.