Warning to specialty healthcare providers, large and small. No health care organization is safe from medical identity theft.
Two eye care entities have recently reported breaches affecting tens of thousands of individuals – Simon Eye Management in Delaware and U.S. Vision based in New Jersey.
Were they missing basic safeguards? Had they performed a HIPAA Risk Analysis?
Hacked through Email and Access to Server
Simon Eye Management
Simon Eye Management operates a chain of clinics that provide eye exams, eyeglasses and surgical evaluations. They reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) on September 14th an email hacking incident that affected more than 144,000 individuals. An unauthorized third party accessed employee email accounts from May 12 to May 18, 2021, and attempted to engage in wire transfer and invoice manipulation attacks against the company.
Simon Eye reported that information compromised by the incident includes individuals’ name, medical history, treatment or diagnosis information, health information, health insurance information and – for a smaller number – potentially their Social Security number, date of birth and/or financial account information.
U.S. Vision
U.S. Vision is a national eye care provider operating freestanding and licensed retail locations at places like J.C. Penney, Meijer and military bases. The company reported to OCR on September 3 a hacking IT incident involving a network server that affected 180,000 individuals. The intrusion occurred between April 20 and May 17, 2021.
Investigators have determined that records related to certain customers and employees may have been viewed and/or taken by an unauthorized individual. The compromised information includes individuals’ names, eye care insurance information and for some, their address, date of birth and/or other individual identifiers.
Attacks on Other Eye Care Providers
Numerous other large health data breaches involving eye care and vision entities have been reported to OCR over the past year, including:
- In May 2021, 20/20 Eye Care and Hearing Care Network, a Florida-based company reported that nearly 3.3 million individuals’ personal and health information had been accessed or downloaded – and then deleted – by an “unknown” actor in January.
- In March 2021, Cochise Eye and Laser, based in Sierra Vista, Arizona, reported that a February ransomware incident affected the protected health information of about 100,000 individuals.
- In October 2020, a U.S. unit of Luxottica, an Italian-based eye care provider reported a hacking breach affecting over 829,000 individuals.
- In September 2020 EyeMed Vision Care LLC reported a hacking incident affecting nearly 1.5 million individuals.
Prevention Costs Less Than Cleanup
As we’ve written before data breaches are expensive but prevention is not. Running a business requires managing risks and keeping expenses down. Don’t wait until theft happens to strengthen your defenses.
The blueprint for defense against medical identity theft is strong HIPAA compliance. Compliance is affordable. Basic cybersecurity awareness training for staff is affordable. Managing risks in advance of a threat is affordable and makes good business sense.