Malware Responsible for Reeve-Woods Eye Center HIPAA Breach

The Reeve-Woods Eye Center – an eye treatment clinic consisting of two centers in Chico, CA, and Paradise, CA – discovered on Wednesday, September 17, 2014 that malware which had been installed on two of its computers.

The malware was discovered by an IT consultant used by the clinic who established that the malware was taking screen shots of the computers; essentially making a digital photocopy of the data being viewed on the screen. As patient files were accessed, a snapshot was taken.

This means that a wide range of data could potentially have been obtained by criminals responsible for the malicious software. The persons affected are those who have visited the center for treatment or otherwise have had their files accessed on either of the two computers on which the malware had been installed.

The data potentially exposed includes names, addresses, contact telephone numbers, Social Security numbers, dates of birth, dates of service, medical insurance details, diagnosis and treatment codes, medical histories, Medi-Cal IDs and Medicare ID numbers, as well as any other data stored in digital files that had been accessed during the period of time that the malware was active. Over 30,000 patients are believed to have been affected.

While the malware may have taken snapshots of the data, the eye center said in a breach notification letter – sent on November 12, 2014 and posted on the State of California Department of Justice Office website – that “we have not seen any evidence that shows patients’ information was actually viewed or otherwise utilized by a third party. Our investigation, however, is ongoing, and we may uncover evidence your personal information was inappropriately accessed.”

Reeve-Woods Eye Center has confirmed that the malware has now been removed and no further threat remains of more data being captured. Any person receiving a breach notification letter has been advised to sign up for a free credit report with each of the main credit agencies – Experian, Equifax and TransUnion. Patients are also advised patients to monitor their credit and EOB statements closely for any sign of fraudulent activity.

The eye center is not, at this stage, offering credit monitoring services free of charge to affected individuals. The credit monitoring agencies are obliged by law to provide individuals with one free credit report every year on request. The cost of any additional cover, such as continuous credit monitoring services, will at this stage have to be paid for by the victims.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.