Eye Care Leaders Hack Impacts Hundreds of Thousands of Patients

Share this article on:

Unauthorized individuals have gained access to the systems of Eye Care Leaders, a provider of electronic health records and patient management software solutions for eye care practices. On or around December 4, 2021, hackers gained access to its myCare Identity solution and deleted databases, systems configuration files, and data.

Eye Care Leaders said its incident response team immediately stopped the unauthorized activity when the breach was detected and launched an investigation into the security breach. The investigation is ongoing, but notifications have now been sent to affected ophthalmology and optometry practices.

While the investigation has not uncovered evidence to suggest the attackers viewed or exfiltrated sensitive data, the possibility of unauthorized data access and theft could not be ruled out. The types of information that have been exposed included patient names, dates of birth, medical record numbers, health insurance information, Social Security numbers, and information regarding the care received at the affected eye care practices. The breach was confined to the myCare Identity solution. The systems of eye care providers that use the solution were not compromised. It is currently unclear how many individuals have been affected by the breach. The Eye Care Leaders website states that it provides software solutions to more than 9,000 ophthalmologists and optometrists.

Nashville, TN-based Summit Eye Associates sent notifications to affected patients on April 28, 2022, and has reported the breach to the HHS’ Office for Civil Rights as affecting up to 53,818 individuals. Kettering, OH-based Allied Eye Physicians & Surgeons has confirmed the PHI of 20,651 individuals has been exposed, and Kirkland, WA-based EvergreenHealth has also been affected and sent notifications to 20,533 patients on April 22, 2022. EvergreenHealth said it is examining its relationship with Eye Care Leaders and assessing the security safeguards that have been implemented.

Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown in West Virginia have been affected and have had the records of 194,035 individuals exposed in the incident. A data breach involving EHRs has also recently been reported by Central Vermont Eye Care (30,000 individuals), but HIPAA Journal has not been able to confirm at this stage whether the Central Vermont Eye Care data breach was due to the cyberattack on Eye Care Leaders.

Update…

The number of eye care providers affected by the breach has been growing. Over the past few days,  several other eye care providers have confirmed they have been affected by the breach, including:

Frank Eye Center in Kansas – 26,333 records
Arkfeld, Parson, and Goldstein, dba Ilumin in Nebraska – 14,984 records
Northern Eye Care Associates in Michigan – 8,000 records
Ad Astra Eye in Arkansas – 3,684 records

At present, around 348,000 patient records are known to have been exposed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On