The protected health information of hundreds of thousands of Americans has been exposed in two separate security incidents at eye-care providers in the United States.
Simon Eye Management reported a data breach to the Department of Health and Human Services’ Office for Civil Rights on September 14. An email hacking incident at the Delaware-based eye-care group exposed the data of 144,000 individuals.
According to a notice issued by Simon Eye, suspicious activity
"related to certain employee email accounts” was observed on or about June 8. An investigation carried out with the help of third-party computer forensic specialists found that unauthorized access to some employee email accounts had occurred from May 12, 2021, to May 18, 2021.
“Our investigation revealed that the unauthorized third party attempted to engage in wire transfer and invoice manipulation attacks against the company, none of which were successful,” said the eye-care group.
Information impacted by the incident may have included names, medical histories, treatment or diagnosis information, and health insurance information. In addition, Simon Eye said that “a smaller number of individuals” may also have had their Social Security numbers, birth dates, and/or financial account information exposed.
The eye-care provider said that it had not discovered any evidence of data misuse linked to the incident.
On May 12, USV Optical, Inc., a subsidiary of U.S. Vision, Inc., noticed suspicious activity on its network. A forensic investigation confirmed that hackers could access specific USV Optical servers and systems for nearly a month.
It was determined that data belonging to 180,000 individuals (employees and patients) might have been accessed and possibly exfiltrated by an unauthorized individual from April 20, 2021, to May 17, 2021.
Information that could have been compromised included names, eye-care insurance information, and insurance claims information. In a security notice, USV Optical said that addresses, dates of birth, and/or “other individual identifiers” may also have been exposed for some individuals.
“We have no evidence of any identity theft or fraud occurring as a result of this incident,” stated USV Optical, adding that they “are reporting this incident to relevant state and federal regulators as required.”