HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

30,000 Patients Impacted by May Eye Care Center Ransomware Attack

A July 2018 ransomware attack on May Eye Care Center in Hanover, PA saw a range of sensitive patient information encrypted, including data in its electronic medical record system.

The ransomware attack was discovered by May Eye Care on July 29, 2018. The ransomware was downloaded on a server that contained patients’ names, addresses, dates of birth, insurance information, diagnoses, treatment information, clinical information, and a limited number of Social Security numbers.

May Eye Care Center called in a leading computer forensics company to investigate the breach and an IT firms that specializes in data security was engaged to conduct a full review of security systems and protocols. Security has now been improved to prevent further attacks.

A ransom demand was received, but no payment was made. May Eye Care Center was able to recover all of the files encrypted by the ransomware from backups without any loss of data.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Al patients impacted by the incident have been notified and the breach was reported to the Department of Health and Human Services’ Office for Civil Rights on October 11. The breach summary on the OCR Breach Portal indicates 30,000 patients were impacted by the incident.

May Eye Care Center believes the sole purpose of the attack was to obtain a ransom payment. No evidence has been uncovered to suggest any patients’ protected health information was accessed by the attackers and no reports of misuse of PHI have been received. However, since data theft cannot be ruled out, all patients have been advised to check their credit reports, accounts, and explanation of benefits statements for any sign of fraudulent activity.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.