HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

VisionWorks Agrees to $100K Data Breach Settlement with Maryland AG

Visionworks LLC has agreed to settle with the Maryland Associate General for exposing the Protected Health Information (PHI) of approximately 72,000 Marylanders. The company will pay a fine of $100,000 to the state for data security failures that lead to the breach.

Two Data Breaches Reported in Quick Succession


The company discovered two separate data breaches – reported in November and December of last year – that exposed the PHI of 122,627 individuals. The first incident was classified as a lost server, which contained 74,944 records, with the second reported as a network server theft, exposing 47,683 records. The servers are most likely now in landfill; however the incident did potentially expose names, addresses, dates of birth and purchasing histories.

The company was reportedly in the process of upgrading to encrypted servers; however old servers were unsecured in the company’s stores; a breach of the HIPAA Security Rule, which requires physical safeguards to be put in place to keep PHI secured.

It is believed that the servers were mistakenly disposed of, and that there was little risk of breach victims being affected by fraud or suffering identity theft. Even so, out of an abundance of caution, a year of credit monitoring services was offered.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Settlement Reached with Maryland AG


This week, the Office of the Attorney General Consumer Protection Division entered into a settlement agreement with Visionworks for its failure to safeguard consumer information; and ensure its secure disposal. According to a statement issued by Attorney General Brian E. Frosh, “Devices that contain personal information must be properly secured and discarded. Otherwise, the door is open for data to fall into the wrong hands,” he went on to issue a warning to other companies doing business in the state of Maryland, “This case should put businesses on notice that they need to be vigilant on behalf of their customers.”

In addition to paying the state $100,000, the company must implement a number of new security measure to ensure future data breaches are prevented. The company also agreed to extend the period over which credit monitoring and identity theft protection services will be offered. Two years will now be offered without charge to individuals affected by the breach. However, this settlement only applies to the exposure of Maryland residents’ PHI. Another 50,000 individuals were affected, many of whom live in Pennsylvania. This may not be the only financial penalty Visionworks will have to pay.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.