Share this article on:
Visionworks has announced that it has suffered a second major security breach in less than a month, bringing the total number of patients affected over the past four weeks to 122,627 individuals.
Visionworks sent breach notifications to 75,000 patients last month after a computer server was lost following a security upgrade. The missing server was believed to have been inadvertently dumped along with construction debris during the refurbishment of the Visionworks Jennifer Square, Annapolis, MD., facilities.
The latest breach affects patients who had received services at its Florida store in the Mall of the Avenues, Jacksonville. The server had been upgraded; however the old server, which contained the Protected Health Information and personal details of approximately 48,000 patients, cannot be located. As with the previous server loss, the incident is being attributed to an employee who may have inadvertently dumped the server, although the breach letter did not confirm that this was definitely the case. The optical care services provider maintains the two incidents are not linked.
Even though the location of the server is unknown, Visionworks believes the threat to patients to be low and that it is unlikely any of the data has been accessed or used by unauthorized individuals. Some credit card information was stored on the server but it was encrypted, rendering it unreadable to anyone without the access key. The breach letter which was sent to the 48,000 affected patients confirms that some partially encrypted health information was stored on the server, although no information about customer examinations and diagnoses was compromised.
While the perceived risk to patients is low, all have been advised to keep a close watch on their finances and to sign up for credit monitoring services; which will be provided free of charge to all affected individuals for a period of 12 months.
The two incidents suggest flaws in data privacy and security policies at Visionworks and hint at violations of HIPAA Privacy and Security Rules. The Privacy Rule requires organizations to implement the appropriate administrative, technical and physical safeguards to ensure that ePHI is protected, which includes how, when and to whom PHI may be disclosed.
The Security Rule covers the disposal of data and any hardware on which that PHI is contained. While there is no specific mention of the methods that must be used for disposal, covered entities must ensure that PHI and other personal information is securely disposed of and permanently erased.
It is possible that Visionworks failed to implement the necessary controls to ensure PHI was protected during and after hardware upgrades. Should Visionworks be found to have violated HIPAA regulations, it could face considerable financial penalties from the Office for Civil Rights.