Millennium Eye Care Says Ransomware Gang Stole a Large Amount of Patient Data

Millennium Eye Care, a Freehold, NJ-based provider of ophthalmology services, announced on December 22, 2021, that hackers recently gained access to its computer network and used ransomware to encrypt files in an attempt to extort money from the practice.

It is unclear when the attack occurred from its breach notification letters, but Millennium Eye Care said it discovered on November 14, 2021, that the attackers had exfiltrated “a large amount of data” prior to encrypting files. The files obtained in the attack included a range of protected health information including names and Social Security numbers.

Millennium Eye Care said it has increased network security measures to reduce the risk of further attacks and has provided additional cybersecurity training to the workforce to help them recognize external attacks.

Affected individuals have been notified by mail and have been provided with information on the steps they can take to protect against identity theft and fraud. Identity theft protection services are being provided free of charge and affected patients will also be covered by a $1,000,000 identity theft reimbursement policy.

The breach has been reported to regulators but has not yet appeared on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many patients have been affected.

Cyberattack Reported by Duneland School Corporation

Duneland School Corporation in Indiana has notified the HHS’ Office for Civil Rights about a recent cyberattack in which the protected health information of 7,000 individuals was potentially compromised.

The cyberattack was detected on October 27, 2021, and resulted in certain systems within its computer network being made unavailable. A third-party cybersecurity firm was engaged to investigate and determine the nature and scope of the attack. The investigation confirmed that unauthorized individuals had access to parts of its network between October 21 and October 27, and those systems contained the personal information of employees and information related to its self-insured health plan, such as names, dates of birth, Social Security numbers, driver’s license numbers, and benefits information.

Duneland School Corporation says it has implemented additional safeguards and technical security measures to prevent any further cyberattacks. Identity monitoring services are being provided to current and former employees, beneficiaries, and dependents, whose data were compromised.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.