On May 16, 2022, the U.S. District Court for the Middle District of Florida, Tampa Division, granted preliminary approval of a proposed settlement agreement that requires Musculoskeletal Institute, d/b/a Florida Orthopaedic Institute (FOI), a health care organization specializing in orthopedic care and related services, to pay a $4 million settlement.
A ransomware attack occurred April 9, 2020, exposing personal identifiable information (PII) and protected health information (PHI) belonging to around 647,000 individuals. Affected PII and PHI included individuals’ names, dates of birth, Social Security numbers, medical information, insurance plan identification numbers, payer identification numbers and claims addresses and histories. A class-action lawsuit was filed alleging that FOI had not taken reasonable care in preserving its patients’ privacy. The plaintiffs also argued that FOI failed to adequately investigate the ransomware attack and provide proper notice within a reasonable time. Specifically, the plaintiffs alleged two forms of negligence, invasion of privacy, breach of fiduciary duty, breach of confidence, breach of implied contract, unjust enrichment and violation of Florida’s Deceptive and Unfair Trade Practices Act.