Florida Health Sciences Center Data Breach Affects 896 Patients

A recent HIPAA data breach at Florida Health Sciences Center, Inc. has compromised the protected health information (PHI) of 896 individuals. The incident, reported to the Department of Health and Human Services on October 3, 2025, involved unauthorized access to physical medical records and films.

What Happened

Florida Health Sciences Center, Inc. experienced an unauthorized access/disclosure breach involving paper medical records and films. The healthcare provider reported this incident to federal authorities as required under the HIPAA Breach Notification Rule, which mandates that covered entities notify HHS of breaches affecting 500 or more individuals within 60 days of discovery.

While specific details about how the breach occurred remain limited, the involvement of physical documents and medical films suggests this was not a typical cyber attack. Instead, it appears that unauthorized individuals gained access to paper-based patient records, highlighting ongoing vulnerabilities in traditional record-keeping systems.

Who Is Affected

The breach impacted 896 patients who received care at Florida Health Sciences Center, Inc. All affected individuals are residents of Florida, and their protected health information (PHI) was potentially compromised through this unauthorized access incident.

Patients who received services from this healthcare provider should be particularly vigilant about monitoring their medical records and watching for signs of medical identity theft or insurance fraud.

Breach Details

Key Information:

• Entity: Florida Health Sciences Center, Inc
• Location: Florida
• Patients Affected: 896 individuals
• Breach Type: Unauthorized Access/Disclosure
• Records Involved: Paper documents and medical films
• Date Reported: October 3, 2025
• Business Associate Involvement: No

This incident falls under 45 CFR § 164.402 of the HIPAA Security Rule, which defines a breach as the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information.

What This Means for Patients

When protected health information is compromised, patients face several potential risks:

Medical Identity Theft

Unauthorized access to medical records can lead to medical identity theft, where criminals use stolen health information to obtain medical services, prescription drugs, or submit fraudulent insurance claims. This type of fraud can result in incorrect information being added to victims' medical records, potentially affecting future care.

Insurance Fraud

Compromised health information may be used to file false insurance claims, which can impact patients' coverage limits and create billing discrepancies. Victims might receive bills for services they never received or find their insurance benefits exhausted.

Privacy Violations

The unauthorized disclosure of medical information represents a fundamental violation of patient privacy rights protected under HIPAA's Privacy Rule (45 CFR § 164.502). Sensitive health information may have been exposed to individuals who had no legitimate reason to access it.

How to Protect Yourself

If you were a patient at Florida Health Sciences Center, Inc., take these immediate steps:

Monitor Your Medical Records

• Request copies of your medical records from all healthcare providers
• Review Explanation of Benefits (EOB) statements carefully
• Look for unfamiliar treatments, procedures, or prescriptions
• Report any discrepancies immediately to your healthcare provider and insurance company

Watch Your Credit Reports

While this breach involved medical records rather than financial information, it's still wise to:

• Monitor your credit reports from all three major bureaus
• Consider placing a fraud alert or credit freeze on your accounts
• Watch for medical debt collections you don't recognize

Contact Your Insurance Company

• Notify your health insurance provider about the potential breach
• Ask about additional monitoring services they may offer
• Request alerts for any claims submitted using your information

Stay Vigilant

• Be suspicious of unsolicited calls about medical services or insurance
• Never provide personal health information over the phone unless you initiated the call
• Keep detailed records of all communications regarding this incident

Prevention Lessons for Healthcare Providers

This breach highlights critical HIPAA compliance challenges that healthcare organizations continue to face, particularly regarding physical document security.

Physical Safeguards

45 CFR § 164.310 requires covered entities to implement physical safeguards for PHI, including:

• Assigned security responsibility for physical access controls
• Workstation controls limiting access to authorized personnel
• Media controls governing the receipt and removal of hardware and electronic media

Even paper records require robust physical security measures, including locked filing systems, restricted access areas, and comprehensive access logging.

Administrative Safeguards

Healthcare providers must establish administrative safeguards under 45 CFR § 164.308, including:

• Designated HIPAA Security Officers responsible for developing and implementing security policies
• Workforce training on proper handling of PHI in all formats
• Access management procedures ensuring only authorized personnel can access patient records
• Incident response procedures for promptly identifying and addressing security incidents

Regular Risk Assessments

The HIPAA Security Rule requires covered entities to conduct regular risk assessments to identify vulnerabilities in their handling of PHI. This includes evaluating:

• Physical security of paper records and storage areas
• Access controls for different types of personnel
• Policies and procedures for handling sensitive documents
• Training effectiveness and compliance monitoring

Digital Transition Considerations

While many healthcare providers have transitioned to electronic health records, some still maintain paper documents and medical films. Organizations should:

• Develop comprehensive policies for handling legacy paper records
• Implement secure digitization processes where appropriate
• Ensure consistent security standards across all record formats
• Regularly audit physical document handling procedures

The Florida Health Sciences Center breach serves as a reminder that HIPAA compliance requires vigilant attention to all forms of PHI, not just electronic records. Healthcare providers must maintain robust security measures for paper documents and implement comprehensive staff training to prevent unauthorized access.

Patients affected by this breach should remain vigilant about monitoring their medical and financial records while healthcare organizations should use this incident as an opportunity to review and strengthen their own physical security measures.

Learn how HIPAA Agent can help protect your practice.