Eye Care data breach hits millions of patients

The personal data of millions of individuals may have been stolen by hackers as a result of a data breach at Eye Care Leaders, a company that provides electronic health record and practice management solutions.

On June 19, a list of impacted eye care providers that HIPAA Journal is maintaining shows that the data of approximately 2.2 million patients was potentially compromised in the Eye Care Leaders data breach.

The Durham, North Carolina-based company, which sells eye care management software solutions, claims to work with more than 9,000 ophthalmologists and optometrists. At least 23 of these eye care providers have been impacted by a data breach that Eye Care Leaders disclosed in December.

Eye Care Leaders took down the compromised systems within 24 hours after the breach was detected, but not before the attackers accessed databases and files containing patient records.

Potentially compromised information included names, addresses, birth dates, gender, phone numbers, email addresses, driver’s license numbers, health insurance information, medical record numbers, Social Security numbers, and eye care-related medical information.

“The forensics investigation revealed that databases and files compromised as part of the incident did not include credit card or financial information,” a data breach notification letter sent to Texas Tech University Health Sciences Center (TTUHSC) patients reads.

TTUHSC said Eye Care Leaders notified it on April 19 of patient data compromise, but claims that it has no evidence of any patient information being “accessed or used without authorization.”

The center also informed the U.S. Department of Health and Human Services that the data of more than 1.29 million of its patients might have been compromised in the data security incident.

This is not an isolated case of a cyber attack on the healthcare institution. Cancer research center Fred Hutchinson Cancer also reported an unauthorized user gained temporary access to an employee’s email account, resulting in a data breach.