Data Breaches Reported by UH College of Optometry and Valley Mountain Regional Center

The University of Houston College of Optometry has discovered an unauthorized individual from outside the United States gained access to the network of an affiliated eye clinic and stole information contained in the clinic’s database.

The Community Eye Clinic in Fort Worth, TX, is managed and administered by UH College of Optometry. Security staff identified the intrusion at 9 a.m. on September 13, 2021, the morning after the breach occurred. The IT security team immediately took steps to secure the system, further defensive safeguards have been implemented to better protect patient data, and its monitoring and alerts have been enhanced. A review has also been conducted of the clinic’s IT protocols and procedures to ensure that industry-standard practices are followed.

The files obtained by the attacker related to patients who received treatment at the Community Eye Clinic between May 22, 2013, and September 13, 2021. The information in the database included names, dates of birth, contact information, government ID numbers, health insurance information, passport numbers, Social Security numbers, driver’s license numbers, and diagnosis and treatment information. No financial information was stored in the database and no College of Optometry or University of Houston network systems were affected.

The 18,500 affected individuals have been advised to monitor their accounts and explanation of benefits statements for signs of fraudulent activity, to check their credit reports, and to consider placing a security fraud alert on their credit reports.

Phishing Attack on Valley Mountain Regional Center Affects 17,197 Patients

Stockton, CA-based Valley Mountain Regional Center (VMRC) has started notifying 17,197 patients that some of their protected health information was stored in email accounts that were accessed by unauthorized individuals.

VMRC detected phishing emails in its mailboxes on September 15, 2021, and took steps to remove all copies of the messages from its email system; however, the subsequent investigation into the phishing attack revealed 14 employees had clicked the links and disclosed credentials which allowed their email accounts to be accessed.

A comprehensive review of the contents of the affected mailboxes confirmed they contained names, addresses, dates of birth, state-issued client identifier numbers, telephone numbers, personal e-mail addresses, diagnoses, medications, other potential unique identifiers, and dates of service.

VMRC said it found no evidence to suggest any information in the email accounts was accessed, acquired, or misused; however, affected individuals have been advised to monitor their accounts and credit reports for unusual activity.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.