HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Florida Orthopaedic Institute Proposes $4 Million Settlement to Resolve Class Action Data Breach Lawsuit

Florida Orthopaedic Institute has proposed a $4 million settlement to resolve claims from patients affected by a 2020 data breach. In April 2020, Musculoskeletal Institute, dba Florida Orthopaedic Institute, discovered an unauthorized third party had gained access to a server that contained patients’ protected health information (PHI) and used ransomware to encrypt files.

The forensic investigation determined the PHI of 640,000 individuals had been exposed and potentially stolen in the attack, including names, contact information, birth dates, Social Security numbers, health insurance information, medical information, and other types of data. Notifications were sent to affected individuals in July 2020 and a 12-month membership to a credit monitoring service was offered to affected individuals.

Shortly after sending notifications, a lawsuit – Stoll et al. v. Musculoskeletal Institute- was filed in the U.S. District Court for the Middle District of Florida that alleged Florida Orthopaedic Institute was “lackadaisical, cavalier, reckless, or in the very least, negligent” with respect to maintaining the privacy of its patients and had not followed basic cybersecurity best practices. The lawsuit also alleged invasion of privacy, breach of fiduciary duty, breach of implied contract, unjust enrichment, and violation of Florida’s Deceptive and Unfair Trade Practices Act.

The lawsuit alleged the sensitive protected health information of patients was now in the hands of cybercriminals and patients now faced a substantial risk of identity theft and fraud. Florida Orthopaedic Institute has admitted no wrongdoing but decided to settle the lawsuit to avoid further legal costs and the uncertainty of trial.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Under the terms of the proposed settlement, current and former patients who were notified about the data breach are entitled to submit a claim for a cash payment of up to $15,000 to cover out-of-pocket expenses and up to 5 hours of time that was lost remedying the data breach at $25 per hour.

Attorneys argued that a 12-month membership to credit monitoring services was insufficient. All individuals affected by the data breach will now be eligible to receive 3 years of identity theft protection, credit monitoring, and identity restoration services, regardless of whether a claim is submitted. Parents or guardians of minors that have been affected by the data breach are entitled to enroll the affected children in these services for 3 years if their children are minors at the time of the settlement. These services include a $1,000,000 identity theft insurance policy. The services retail for around $196 per individual.

All claims must be submitted no later than September 16, 2022. The final approval hearing for the settlement is September 29, 2022.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.