Posted On February 10, 2022 Consumer Privacy & Data Breaches

Data Breach at iRISE Florida Spine and Joint Institute, LLC

February 10, 2022 – Recently, iRISE Florida Spine and Joint Institute, LLC (“iRISE”) announced a “data security incident” in which an unauthorized party obtained access to an employee’s email account. As a result of the iRISE Spine and Joint data breach, the personal and protected health information (“PHI”) information of 61, 595 individuals was compromised. Those impacted by a data breach should be sure they understand what happened, what their rights are, and how they can pursue them. The data breach lawyers at Console & Associates, P.C. are actively investigating this security breach. If an investigation reveals that iRISE Florida Spine and Joint Institute failed to ensure the safety of consumer data leading up to the breach, the company may be liable through a data breach class action lawsuit.

Cyberattacks such as this one are increasingly common in today’s society. Today more than ever, businesses store data electronically. While there are certainly many ways to protect against cyberthreats, hackers have ways of identifying vulnerabilities in data security systems, which they can then exploit.

When a hacker breaches a company’s computer systems, they can steal sensitive consumer information from the compromised systems. While there is no guarantee that this information will be used for criminal purposes, that is not an uncommon occurrence. Thus, as a matter of course, after a company experiences a data breach, they will inform anyone whose information was compromised. Despite the risks data breaches present, many consumers fail to take precautionary measures to protect themselves from identity theft and other frauds.

Those impacted by a data breach should be sure they understand what happened, what their rights are, and how they can pursue them.

Can Consumers Whose Data Was Leaked Pursue Legal Action Against a Company?

When you allowed iRISE access to your personal data, you trusted the company to keep your sensitive information safe. However, news of the iRISE Florida data breach raises some very serious questions about the company’s data security measures and whether the company could have done more to prevent this type of cyber-attack.

Regardless of the industry, all businesses have a legal obligation to protect consumer information in their possession. Although creating and maintaining a data security system is costly, this is a necessary expense given the frequency with which cyberattacks occur.

Consumers whose personal, identifying, financial or healthcare-related data was compromised in a data breach can pursue legal action against a company that misused or mishandled their information. However, the investigation into the iRISE Spine and Joint breach is only in its beginning phases. For that reason, it is too early to tell if iRISE was legally responsible for the breach. However, our data breach attorneys are investigating the iRISE Spine and Joint Institute security breach to determine the potential legal remedies of those affected.

If you have questions about your ability to pursue a data breach class action lawsuit against iRISE Spine and Joint, contact a data breach attorney as soon as possible.

What to Do If You Received a Data Breach Notification from iRISE Spine and Joint

If you receive a data breach notification from iRISE Spine and Joint in the coming weeks, it means your personal data was among that which was compromised in the recent cyberattack. It also means a cybercriminal had access to—and may have stolen—your personal data. Given the risks involved, it is important you remain vigilant by taking the following steps:

1. 1. Figure Out What Information Was Stolen: Carefully review the data breach letter sent by iRISE Spine and Joint keeping in mind the information you provided to the company as well as the type of data that was compromised in the breach. You should also take a copy of the data breach letter and keep it for your records. Of course, data breach letters are not always easy to understand. A consumer privacy lawyer can help victims of a data breach understand what was compromised and how to protect themselves.
   2. Prevent the Hacker from Accessing Your Accounts: Once you determine the scope of the breach and how it affected you, the next step is to take all steps to prevent cybercriminals from accessing your credit or financial accounts. For example, you should change all passwords and security questions for your online accounts. You should also consider setting up multi-factor authentication where it is available.
   3. Protect Your Credit and Your Financial Accounts: In the wake of a data breach, companies usually provide free credit monitoring services for a specified period of time. This is not a gimmick, and you do not give up any rights by taking a company up on their offer. Additionally, you should contact one of the three main credit bureaus to request a copy of your credit report. Even if you do not notice any signs of fraud or unauthorized activity, it is a good idea to request a fraud alert. Fraud alerts are free and serve as a red flag to potential lenders and creditors that your information was compromised.
   4. Consider a Credit Freeze: A credit freeze prevents access to your credit report unless you specifically authorize it. Credit freezes are free and last until you remove them. While placing a credit freeze on your accounts may initially seem like a drastic measure, according to the Identity Theft Resource Center (“ITRC”), doing so is the “single most effective way to prevent a new credit/financial account from being opened.” However, ITRC reports that just 3% of consumers whose information is leaked place a freeze on their accounts. Once a credit freeze is in place, you can temporarily lift the freeze if you need to apply for any type of credit.
   5. Regularly Monitor Your Credit Report and Financial Accounts: Protecting yourself in the wake of a data breach is not a one-time task. You should continually monitor your credit report and all financial accounts, keeping an eye out for any signs of unauthorized activity or fraud. You may also consider calling your banks and credit card companies to report the fact that your information was compromised in a data breach.

About iRISE Spine and Joint

iRISE Florida Spine and Joint Institute, LLC is an orthopedic care provider founded in 2000 and headquartered in Boca Raton, Florida. iRISE offers patients both surgical and nonsurgical treatment options for a variety of conditions affecting the spine, joints as well as the surrounding ligaments, tendons, and muscles. The company employs approximately 190 people, and has locations across Florida, as well as two locations in Tennessee.

The Details of the iRise Data Breach

According to an official notice filed by the company, on November 22, 2021, iRISE Spine and Joint learned that an unauthorized party accessed an employee’s email account.  Once iRISE Spine and Joint learned of the possible breach, it initiated an internal investigation. The investigation confirmed that the company was the victim of a cyberattack and that certain files were accessible by the unauthorized party between the dates of February 24 and February 26, 2021.

Upon learning of the extent of the security breach, iRISE Spine and Joint then reviewed the affected files to determine what information was compromised. The company later confirmed that the compromised data may have included certain consumers’ protected health information. While the compromised information varies by consumer, it may include their names, dates of birth, medical information including diagnosis and/or clinical treatment information, physician and/or hospital name, dates of service, and health insurance information. For a smaller group of consumers, the breach resulted in the following information being compromised: Social Security numbers, driver’s license numbers, financial account information, credit card numbers, and usernames and passwords.

In January 2022, iRISE Spine and Joint Institute began sending out data breach notification letters to all individuals whose information was contained in the affected files. According to one source, as many as 61,595 consumers are believed to have been impacted by the breach.

Below is the iRISE online notice regarding the breach. The live version can be found here.

Dear [Consumer],

iRise Florida Spine and Joint Institute, LLC (“iRise”) is committed to maintaining the privacy and security of the information that it maintains. iRise recently notified individuals of a data security incident involving access to an iRise employee email account by an unauthorized-party.

Upon learning of this issue, iRise secured the account and commenced a prompt and thorough investigation. As part of its investigation, iRise engaged external cybersecurity professionals experienced in handling these types of incidents. The investigation worked to identify what personal information, if any, might have been contained in the affected email account. After an extensive forensic investigation and comprehensive and time-consuming manual document review, iRise discovered on November 22, 2021 that the email account accessed between February 24, 2021 and February 26, 2021 contained identifiable personal and/or protected health information. iRise has no evidence to suggest that any information has been misused. However, out of an abundance of caution, iRise provided written notification to anyone whose information may have been contained in the accessed account.

The accessed email account contained the personal and protected health information of certain individuals, including their names, dates of birth, medical information including diagnosis and/or clinical treatment information, physician and/or hospital name, dates of service, and health insurance information. In a limited number of cases, Social Security numbers, driver’s license numbers, financial account information, credit card numbers, and usernames and passwords were also impacted. This incident does not affect all clients of iRise and not all information was included for all individuals.

iRise is sending notification letters to each affected individual for whom we have enough information to determine a physical address. Notified individuals have been provided with best practices to protect their information and have been reminded to remain vigilant in reviewing financial account statements on a regular basis for any fraudulent activity. It has also been recommended that affected individuals review the explanation of benefits statements that they receive from their health insurance providers and follow up on any items not recognized. For the limited number of individuals whose Social Security numbers were contained in the impacted account have been offered complimentary credit monitoring for twelve months.

Since the date of this incident, iRise has taken measures to improve its technical safeguards in order to minimize the risk of a similar incident in the future, including implementing additional technical safeguards on its email system, implementing multifactor authentication, and providing additional training to employees to increase awareness of the risks of malicious emails.

For further questions or additional information regarding this incident, or to determine if you may be impacted, iRise has set up a dedicated toll-free response line for individuals to ask questions. The response line can be contacted at 855-604-1769 is available Monday through Friday, 8:00 a.m. to 8:00p.m. Central Time.