HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Tampa Bay Surgery Center Notifies 26,000 of PHI Theft

Tampa Bay Surgery Center has started notifying almost 26,000 patients that some of their protected health information was stolen by an unauthorized individual who subsequently posted the information on a file sharing website.

Law enforcement contacted Tampa Bay Surgery Center on May 5, 2017 alerting the healthcare provider to the data dump. The file had been uploaded to the file sharing website the previous day. The file contained sensitive data that had been obtained from a database maintained by Tampa Bay Surgery Center. Data stolen and exposed online by the malicious third party included the full names of patients along with dates of birth, home addresses and social security numbers. A link to the file was also distributed on Twitter by the individual who claimed to have stolen the data.

Tampa Bay Surgery Center has notified the Department of Health and Human Services’ Office for Civil Rights of the breach. The breach report indicates 25,848 patients were affected by the incident. Those individuals are being offered identity theft protection services without charge, although patients have been informed that no evidence has been uncovered to suggest any of the stolen protected health information has been misused.

An investigation into the breach is ongoing and processes and procedures are being updated to ensure similar incidents do not occur in the future.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

While the breach will come as news to many patients, the incident was reported in May by Databreaches.net, which has been following the activities of the individual/group responsible for the attack – The Dark Overlord (TDO). TDO has conducted numerous attacks on healthcare organizations over the past few months.

TDO steals data, threatens to publish the information online and advises organizations that they can stop the data dump by paying a ransom. If the ransom is paid, TDO claims data will not be released online. As has happened on numerous occasions already, if the ransom demand is not paid or the request is ignored, data are published. TDO was behind attacks on OC Gastrocare, Aesthetic Dentistry, Dougherty Laser Vision, Peachtree Orthopedics, Midwest Orthopedic Pain & Spine, Athens Orthopedic Clinic and many others, including an unnamed third-party health insurer from which 9.3 million records were stolen.

According to Databreaches.net, the data dump appeared to include 142,000 records. The tweet sent by TDO, from an account that has subsequently been suspended, was ““Into the hundred thousand range we go. However, this clinic didn’t do anything wrong except annoy us.” The file has since been taken down and is no longer accessible online.  

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.