Panorama Eyecare Notifies 377K Individuals a Year After Ransomware Attack
In July 2023, the LockBit ransomware group added Panorama Eyecare to its data leak site and claimed to have exfiltrated 798 GB of data from the Fort Collins, CO-based physician-led management services organization The ransomware group claimed to have obtained data from its clients, including Eye Center of Northern Colorado, Denver Eye Surgeons, Cheyenne Eye Clinic & Surgery Center, and 2020 Vision Center.
Panorama Eyecare has now confirmed the attack, a year after the intrusion was first detected. According to the breach notification issued to the Maine Attorney General, the intrusion was detected on June 3, 2023. The letters state that the forensic investigation confirmed that an unauthorized actor had access to its network between May 22, 2023, and June 4, 2023, and that as a result of the cybersecurity incident the attacker “may have accessed and removed certain files from our network environment.”
The reason for the delay in issuing HIPAA notification letters was due to the comprehensive review of the impacted files which took until May 9, 2024, to complete. That review confirmed that the following data was involved: names, Social Security numbers, dates of birth, driver’s license numbers/state IDs, financial account information, dates of service, and medical provider names.
Panorama Eyecare said external cybersecurity experts were engaged to help secure its systems and investigate the incident, and that all of its systems and networks are now secure. Additional measures have been taken to prevent further incidents of this nature in the future and cybersecurity measures and practices are continuously evaluated and modified to enhance the security and privacy of patient information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
According to Panorama Eyecare’s website notification, “Panorama has no evidence that any of the compromised information has been misused for identity theft.” The notice does not state whether credit monitoring and identity theft protection services are being provided free of charge, although the Maine Attorney General’s website indicates that they are being provided for free for 12 months, at least to Maine residents.
Affected individuals should certainly take advantage of those services. While The HIPAA Journal was unable to determine whether the stolen files are still available, LockBit says that all files exfiltrated in the attack have been published.
The breach notice sent to the Maine Attorney General indicates that 377,911 individuals potentially had their information compromised in the attack. The HHS’ Office for Civil Rights breach portal does not currently show the number of patients affected by the breach. OCR recently confirmed that it takes around two weeks to verify the breach reports it receives before they are added to its breach portal.
