Share this article on:
The protected health information of up to 40,000 patients of the Jones Eye Clinic and its affiliated surgery center, CJ Elmwood Partners, L.P, in Sioux City, IA has potentially been compromised.
The breach is the result of a ransomware attack which affected data stored in an information system used for scheduling appointments and billing patients. Electronic medical records were unaffected as they were housed in a separate system which was not accessed by the attacker.
Jones Eye Clinic discovered the ransomware attack on August 23, 2018, although an investigation by a third-party forensic investigator revealed that the attacker gained access to its system and installed the ransomware on the evening of August 22.
A ransom was demanded for the keys to decrypt the files; however, no payment was made as it was possible to recover the files from backups. A full data restoration was completed on August 23.
The investigation into the ransomware attack did not uncover any evidence to suggest that the attacker viewed or obtained patient data, although since data theft could not be ruled out, all affected patients have been offered free credit monitoring services for 12 months. Patients have been notified of the data breach by mail and have up to January 19, 2019 to enroll for credit monitoring services.
The information potentially accessed was limited to full names, dates of birth, addresses, medical record numbers, dates of service, and general descriptions of surgical procedures and clinic visits. Some patients may also have had their insurance status, Social Security number, and claims information exposed. Jones Eye Clinic does not believe financial information was accessed or exposed.
The breach potentially affects all patients of the eye clinic and surgery center who registered or received medical services between January 1, 2003 and August 23, 2018.