HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of 40,000 Patients of Sioux City Eye Clinic Potentially Compromised

The protected health information of up to 40,000 patients of the Jones Eye Clinic and its affiliated surgery center, CJ Elmwood Partners, L.P, in Sioux City, IA has potentially been compromised.

The breach is the result of a ransomware attack which affected data stored in an information system used for scheduling appointments and billing patients. Electronic medical records were unaffected as they were housed in a separate system which was not accessed by the attacker.

Jones Eye Clinic discovered the ransomware attack on August 23, 2018, although an investigation by a third-party forensic investigator revealed that the attacker gained access to its system and installed the ransomware on the evening of August 22.

A ransom was demanded for the keys to decrypt the files; however, no payment was made as it was possible to recover the files from backups. A full data restoration was completed on August 23.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The investigation into the ransomware attack did not uncover any evidence to suggest that the attacker viewed or obtained patient data, although since data theft could not be ruled out, all affected patients have been offered free credit monitoring services for 12 months. Patients have been notified of the data breach by mail and have up to January 19, 2019 to enroll for credit monitoring services.

The information potentially accessed was limited to full names, dates of birth, addresses, medical record numbers, dates of service, and general descriptions of surgical procedures and clinic visits. Some patients may also have had their insurance status, Social Security number, and claims information exposed. Jones Eye Clinic does not believe financial information was accessed or exposed.

The breach potentially affects all patients of the eye clinic and surgery center who registered or received medical services between January 1, 2003 and August 23, 2018.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.