Optometric Industry Updated Cyber Hacks

Below are actual cases that occurred around the country, which are documented on Privacy Right Clearinghouse.

Date Made Public: April 12, 2017; Company: Eyecare Services Partners Management, LLC

Location: Texas
Type of breach: DISC
Type of organization: MED
Records Breached: 9,129
Location of breached information: Other
Business associate present: Yes
Information Source: US Department of Health and Human Services

Date Made Public: March 2, 2017; Company: VisionQuest Eyecare

Location: Indiana
Type of breach: HACK
Type of organization: MED
Records Breached: 85,995
Location of breached information: Network Server
Business associate present: No
Information Source: US Department of Health and Human Services

Date Made Public: February 17, 2017; Company: Robert E Torti, MD, PA dba Retina Specialists

Location: Texas
Type of breach: PHYS
Type of organization: MED
Records Breached: 887
Location of breached information: Paper/Films
Business associate present: No
Information Source: US Department of Health and Human Services

Date Made Public: February 13, 2017; Company: 2020 On-Site Optometry

Location: , Massachusetts
Type of breach: HACK
Type of organization: MED
Records Breached: 15,400
Location of breached information: Network Server
Business associate present: Yes
Information Source: US Department of Health and Human Services

Date Made Public: November 18, 2016; Company: Eye Institute of Marin

Location: Marin, California
Type of breach: HACK
Type of organization: MED
Records Breached: 0
Information Source: California Attorney General
Information Source: US Department of Health and Human Services

“On or about August 22, 2016, we received confirmed notice from our electronic medical record provider that their electronic system was subject to a malware attack on July 26, 2016. They became aware of the incident on July 27, 2016, and we are informed that they promptly took action to secure their systems.
We immediately requested further information to understand what happened and to determine which, if any, of our patients were affected. On September 14, 2016, we were provided further detail of the events, and learned that the company, MMPC, experienced a ransomware infection.
Ransomware is a type of malware which restricts access to the computer system that it infects, and demands that a ransom be paid to the creator of the malware to remove the restriction. The third party forensic IT firm hired to investigate this incident found no evidence that patient information was viewed, transferred or accessed. However, during the restoration process of their system, MMPC has informed us that one of their backup systems failed causing the loss of consultation notes between July 11, 2016 and July 26, 2016. Given these events, we wanted to notify you of this matter.”
More information

Date Made Public: November 16, 2016; Company: Vision Care Florida, LLC

Location: , Florida
Type of breach: DISC
Type of organization: MED
Records Breached: 7,500
Location of breached information: Desktop Computer
Business associate present: No
Information Source: US Department of Health and Human Services

Date Made Public: November 4, 2016; Company: Wal-Mart Stores, Inc.

Location: , Arkansas
Type of breach: DISC
Type of organization: MED
Records Breached: 771
Location of breached information: Paper/Films
Business associate present: No
Information Source: US Department of Health and Human Services

Date Made Public: September 28, 2016; Company: Thomasville Eye Center

Location: Georgia
Type of breach: DISC
Type of organization: MED
Records Breached: 10,891
Location of breached information: Desktop Computer
Business associate present: No
Information Source: US Department of Health and Human Services

The covered entity (CE), Thomasville Eye Center, discovered that one of its employees opened a credit account for a patient without authorization. The employee was able to access patient names, addresses, dates of birth, Social Security numbers, and billing information. Although the CE only knows of one patient being impacted, the employee accessed records of 11,137 individuals during her employment, all of whom may have been affected. The CE provided breach notification to HHS, the individuals who may have been affected, the media, and on its website. Following the breach, the CE retrained employees and revised policies and procedures to limit employee access to protected information. OCR obtained assurances that the CE implemented the corrective actions listed above. The CE also terminated the employee involved, notified local law enforcement, and the FBI.

Date Made Public: June 8, 2016; Company: Wal-Mart Stores, Inc.

Location: Bentonville, Arkansas
Type of breach: DISC
Type of organization: MED
Records Breached: 27,393
Location of breached information: Paper/Films
Business associate present: No
Information Source 1: US Department of Health and Human Services

OCR opened an investigation of the covered entity (CE), Wal-Mart Stores, after it discovered an erroneous mailing of refund checks by its business associate (BA), Harte-Hanks Direct Marketing/Kansas City, LLC. This breach resulted in unauthorized disclosure of 27,379 individuals’ protected health information, which included names, store locations, refund amounts, prescription or order numbers, and order dates. The CE provided breach notification to HHS, affected individuals, and the media. OCR obtained assurances that the CE implemented the corrective actions noted above.

Date Made Public: May 5, 2016; Company: Southeast Eye Institute, P.A. dba-Eye associates of Pinellas

Location: Pinellas Park, Florida
Type of breach: HACK
Type of organization: MED
Records Breached: 87,314
Location of breached information: Network Server
Business associate present: No
Information Source 1: Media
Information Source 2: US Department of Health and Human Services

This specific breach, as reported, is part of a larger breach of the company Bizmatics which provides EHR/EMR software solutions to 15,000 healthcare providers.
“The Southeast Eye Institute, P.A., in Florida, doing business under the name the Eye Associates of Pinellas, reported a possible data breach after an unauthorized individual gained access to patient data via a third party affiliate.
How many victims? 87,314
What type of information? Names, addresses, telephone numbers, Social Security numbers, dates of birth, and insurance information may have all been compromised.
What happened? On March 30, 2016, The Southeast Eye Institute was notified that a third-party breach at the medical practice software provider Bizmatics may have compromised the information of “at least some” of the institute’s patients. Officials said the breach occurred in January 2015 but they did not immediately become aware of the incident. Bizmatics was unable to determine which patients’ information was accessed and if the unauthorized individual was able to collate the various data files.”
Information below has been obtained by the US Department of Health and Human Services:
Southeast Eye Institute, P.A., the covered entity (CE), discovered that its business associate (BA), Bizmatics Inc., suffered a breach after a hacker accessed its servers. The breach affected 87,000 individuals and included patients’ names, addresses, social security numbers, and health visit information. The CE timely sent breach notification to HHS, to affected individuals, to the media, and posted notification on the main page of its website. The CE did not have a BA agreement with Bizmatics at the time of the breach, but following the breach, the CE decided to terminate its relationship with the BA. After terminating its relationship with the BA, the CE received a certificate of records destruction from the, which confirmed that all of the CE’s patient records stored by the BA were destroyed. OCR obtained assurances that the CE implemented the corrective actions listed above.

Date Made Public: March 1, 2016; Company: Walmart Stores, Inc.

Location: Bentonville, Arkansas
Type of breach: HACK
Type of organization: MED
Records Breached: 4,800
Location of breached information: Electronic Medical Record
Business associate present: No
Information Source: Government Agency

As reported by Health and Human Services unauthorized access/disclosure electronic medical record. No specific information as to what information was compromised as provided by health and human services.

Date Made Public: February 26, 2016; Company: The Eye Institute of Corpus Christi

Location: Corpus Christi, Texas
Type of breach: HACK/PHYS
Type of organization: MED
Records Breached: 43,961
Location of breached information: Electronic Medical Record
Business associate present: No
Information Source: Government Agency

“The Eye Institute of Corpus Christi, a full service eye care, diagnosis, and treatment clinic in Texas, has discovered that individuals gained access to the records of all of its patients, downloaded their protected health information from the EHR, copied those data, and provided them to two physicians formerly employed by the eye clinic.The disclosed data include the names of patients, their addresses, contact telephone numbers, Social Security numbers, dates of birth, medical diagnoses, details of treatment, and health insurance details. After review of the response from the entity, OCR determined that a breach of protected health information did not occur.”
More Information

Date Made Public: January 12, 2015; Company: Children’s Eyewear Sight

Location: California
Type of breach: PHYS
Type of organization: MED
Records Breached: 1,030
Location of breached information: Desktop Computer
Business associate present: No
Information Source: US Department of Health and Human Services

Date Made Public: January 2, 2014; Eye Surgery Education Council

Location: Fairfax, Virginia
Type of breach: MED HACK
Records Breached: 4,748
Reportedly, the Eye Surgery Education Councils system was hacked and user accounts with partial email addresses, user names and clear text passwords were dumped onto the Internet.
Information Source:
Dataloss DB

Date Made Public: November 8, 2013; Ferris State University – Michigan College of Optometry

Location: Big Rapids, Michigan
Type of breach: MED HACK
Records Breached: 3,947
Michigan College of Optometry learned on July 23, 2013 that their network had been compromised in December of 2011. A malware program could have accessed the names, Social Security numbers, demographic information, and a limited amount of clinical information of patients that were on the server. Former and current patients were mailed letters on September 24.
Information Source:
HHS via PHIPrivacy.net records from this breach used in our total: 3,947

Date Made Public: June 21, 2013; Gulf Breeze Family Eyecare (Sight and Sun Eyeworks Gulf Breeze)

Location: Gulf Breeze, Florida
Type of breach: MED INSD
Records Breached: Unknown
Sight and Sun learned of a patient privacy breach on May 17. Patient names, Social Security numbers, addresses, medical record numbers, and other personal information may have been exposed. An employee accessed and copied patients’ electronic medical records without legitimate purpose.
UDPATE (06/26/2013): A total of 9,000 patients were affected. It appears that the records were accessed to target patients for other medical service offerings.

Date Made Public: October 29, 2012; Massachusetts Eye and Ear Infirmary

Location: Boston, Massachusetts
Type of breach: MED INSD
Records Breached: 3,600
Origin of Data Breach: May 19, 2012
Information Source: Press Release

A dishonest employee was arrested and fired in March after stealing patient information from Massachusetts Eye and Ear Infirmary. The former employee opened fake accounts to avoid paying for electricity. The investigation began in January when one of the victims noticed that her Social Security number had been used to open an account. Names and dates of birth were also compromised.An employee was fired after police informed Massachusetts Eye and Ear that the employee was being investigated for identity theft. The employee had taken and misused patient names, Social Security numbers, and dates of birth. At least four of the employee’s victims came from Massachusetts Eye and Ear, but she had access to the information of approximately 3,600 patients.

Date Made Public: October 11, 2011; Indiana University School of Optometry

Location: Bloomington, Indiana
Type of breach: MED DISC
Records Breached: 757 (No Social Security numbers or financial information reported)

Health information stored on a computer server was accidentally made available to the public online between August and September of 2011. Patients who were seen by a former faculty member of the school were affected because of a configuration error that occurred on August 12. The issue was discovered on September 9 and had been corrected by September 10. Patients seen by a certain doctor between January of 2007 and June of 2011 at clinics in Carmel and Indianapolis, Indiana were affected. Some hospital inpatients seen between August 2007 and August 2008 were also affected.
Information Source:
Media records from this breach used in our total: 0

Date Made Public: May 17, 2011; Eye Care Associates of the San Ramon Valley

Location: San Antonio, Texas
Type of breach: MED PORT
Records Breached: 611 (No SSNs or financial information reported)
Records from this breach used in our total: 0
Information Source: PHIPrivacy.net
Patients with questions may call 925-866-2020.
A laptop with a lock to prevent theft was stolen from the ophthalmology office on the night of May 8. It contained eye photos and names of 611 patients. The laptop was not recovered.

Date Made Public: January 29, 2011; Bend Ophthalmology

Location: Bend, Oregon
Type of breach: MED STAT
Records Breached: Unknown
Information Source: TechTalk

Five desktop computers were stolen from the Bend office during a robbery sometime between January 26 and 27. The office is located in the Pilot Butte Medical Clinic. How much information and the kinds of information exposed were not reported. The police officer Elizabeth Lawrence said the suspect or suspects threw a lava rock through a sliding glass door in the back of the business, then unscrewed the exterior light fixture to avoid being seen. Then, police said, thieves took off with three Dell laptops and two Dell desktops from the offices, which is housed inside the Pilot Butte Medical Clinic on 2275 SE Doctors Dr. in Bend.

Date Made Public: March 8, 2010; McNair Eye Center

Location: Heber Springs, Arkansas
Type of breach: MED STAT
Records from this breach used in our total: 9,000
A computer server with patient personal information was stolen.
Information Source: PHIPrivacy.net