25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

PHI of 40,000 Patients of Sioux City Eye Clinic Potentially Compromised

Posted By on Oct 26, 2018

The protected health information of up to 40,000 patients of the Jones Eye Clinic and its affiliated surgery center, CJ Elmwood Partners, L.P, in Sioux City, IA has potentially been compromised.

The breach is the result of a ransomware attack which affected data stored in an information system used for scheduling appointments and billing patients. Electronic medical records were unaffected as they were housed in a separate system which was not accessed by the attacker.

Jones Eye Clinic discovered the ransomware attack on August 23, 2018, although an investigation by a third-party forensic investigator revealed that the attacker gained access to its system and installed the ransomware on the evening of August 22.

A ransom was demanded for the keys to decrypt the files; however, no payment was made as it was possible to recover the files from backups. A full data restoration was completed on August 23.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The investigation into the ransomware attack did not uncover any evidence to suggest that the attacker viewed or obtained patient data, although since data theft could not be ruled out, all affected patients have been offered free credit monitoring services for 12 months. Patients have been notified of the data breach by mail and have up to January 19, 2019 to enroll for credit monitoring services.

The information potentially accessed was limited to full names, dates of birth, addresses, medical record numbers, dates of service, and general descriptions of surgical procedures and clinic visits. Some patients may also have had their insurance status, Social Security number, and claims information exposed. Jones Eye Clinic does not believe financial information was accessed or exposed.

The breach potentially affects all patients of the eye clinic and surgery center who registered or received medical services between January 1, 2003 and August 23, 2018.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist