In early December of 2021, Eye Care Leaders (Eye Care), an electronic medical record vendor supplying business associate services to eye care providers across the country, discovered it had incurred a data breach. The breach quickly disabled systems.
The intruder accessed compromised information, including name, address, phone numbers, health insurance information, and medical information related to eye care services – protected health information. Upon conducting a forensic exam in April, Eye Care Leaders began to notify affected providers of the bad news. Texas Tech University Health Science Center (“Texas Tech”) is the hardest-hit provider, with 1.3 million patients affected. To date, 28 eye care providers have confirmed that they have been affected. Over 2.2 million individuals have been affected by the breach. Details of the Texas Tech eyecare breach saga are provided below.
Texas Tech Eyecare Breach Claims New Victims: It’s an Attack!
EMR vendor Eye Care Leaders provides patient management software solutions for over 9,000 ophthalmology and optometry practices. Eye Care’s myCare Integrity solution was hacked via a ransomware attack on December 4, 2021.
Eye Care Leaders took down the compromised systems within 24 hours after breach detection and terminated the unauthorized access, but not before the hackers accessed files and databases containing patient records.
Eye Care then conducted a forensic exam in April of 2022. Eye Care determined that the unauthorized activity compromised numerous individual identifiers, including:
- Names, addresses, and phone numbers
- Email addresses
- Gender
- Dates of birth
- Medical record numbers
- Health insurance information
- Appointment information
- Social Security numbers
- Medical information related to ophthalmology services
Texas Tech then provided notification of the breach to its patients. In its breach notification letter, Texas Tech indicated that the compromised databases and files did not include credit card or financial information. As required by law, Texas Tech notified the Department of Health and Human Services (HHS) that the data of approximately 1.29 million of its patients might have been compromised in the attack.
Eye Care Leaders Breach Compromises Additional Patient Information
The attackers did not limit their activities to the Texas Tech eyecare breach. As the hackers caused the Texas Tech eyecare breach, they were going to work on other eye care providers. To date, 28 eye care providers have been the victim of an attack originating from the Eye Care Leaders breach. The protected health information of more than 2 million patients has been exposed and potentially compromised.
During one week in mid-July alone, five eye care providers reported that patient data had been compromised by the ransomware attack. The providers (along with the number of affected patients of each) include:
- Spectrum Eye Physicians in California (approximately 175,000 patients)
- Chesapeake Eye Center in Maryland (approximately 33,000 patients)
- Orangeburg Eye Center (approximately 9,000 patients)
- Stokes Regional Eye Centers (amount of patients currently unknown)
- Sharper Vision (amount of patients currently unknown)
The remaining affected providers (along with the number of affected patients) are:
- Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown in West Virginia (approximately 194,035 patients)
- Texas Eye Associates (approximately 75,092 patients)
- Precision Eye Care in Missouri (approximately 58,462 patients)
- Shoreline Eye Group in Connecticut (approximately 57,047 patients)
- Summit Eye Care Associates in Tennessee (approximately 53,818 patients)
- AU Health in Georgia (approximately 50,631 patients)
- Finkelstein Eye Associates in Illinois (approximately 48,587 patients)
- Moyes Eye Center, PC in Missouri (approximately 38,000 patients)
- McCoy Vision Center in Alabama (approximately 33,930 patients)
- Frank Eye Center in Kansas (approximately 26,333 patients)
- Lori A. Harkins MD, P.C. dba Harkins Eye Clinic in Nebraska (approximately 23,993 patients)
- Allied Eye Physicians & Surgeons in Ohio (approximately 20,651 patients)
- EvergreenHealth in Washington (approximately 20,533 patients)
- Sylvester Eye Care in Oklahoma (approximately 19,377 patients)
- Cherry Creek Eye Physicians and Surgeons, P.C. in Colorado (approximately 17,732 patients)
- Arkfeld, Parson, and Goldstein, dba Ilumin in Nebraska (approximately 14,984 patients)
- Associated Ophthalmologists of Kansas City, P.C. in Missouri (approximately 13,461 patients)
- Northern Eye Care Associates in Michigan (approximately 8,000 patients)
- Ad Astra Eye in Arkansas (approximately 3,684 patients)
- Fishman Vision in California (approximately 2,646 patients)
- Burman & Zuckerbrod Ophthalmology Associates, P.C. in Michigan (approximately 1,337 patients)
- Kernersville Eye Surgeons in North Carolina (amount unknown)
Further Details Emerge
Several of these providers have shed further light on the details of the Eye Care Partners breach. Sharper Vision notified affected patients, describing the cyberattack as having caused EMR downtime for at least a week for some providers.
Chesapeake Eye conducted an independent investigation prior to the incident, which revealed that Eye Care Leaders used layers of encryption for Chesapeake’s data. Still, it failed to actually encrypt the patient information itself.
The fallout from the Eye Care Leaders breach incident is already significant. While Eye Care Leaders assured Chesapeake Eye that all patient information would be encrypted going forward, Chesapeake nonetheless is considering terminating its relationship with Eye Care Leaders (Chesapeake stated as much in its notice to affected patients).
Spectrum has already made its decision – Spectrum terminated its EMR contract with Eye Care Leaders, and plans on transferring its PHI to another vendor. More ominously, Spectrum has stated that it is “working with its legal counsel to determine what, if any recourse, we have concerning this breach.”
To date, no investigation has uncovered evidence suggesting the attackers actually withdrew (exfiltrated) sensitive data. However, the possibility of unauthorized data access and theft cannot be definitively ruled out.
