It has been revealed that the U.S. Vision Inc. subsidiary, USV Optical Inc. suffered a security breach when cybercriminals were able to obtain access to a range of databases that were holding patients’ protected health information (PHI).
This breach was initially noticed on May 12, 2021 and resulted in an in depth forensic investigation which revealed that unauthorized people were able to log onto its systems during the time period from April 20, 2021 to May 17, 2021. On May 17 the group were able to secure their systems and prevent further unauthorized access attempts.
An external firm of computer forensics specialists are conducting an ongoing review of the breach to ascertain the range of the infiltration. However, to date they have been able to confirm that it is likely that hackers viewed and exfiltrated patient data.
The following range of employee and patient PHI could have been stolen:
- Eye Care insurance data
- Eye Care insurance application
- Claims information.
Additionally it is thought that a smaller subset of individuals may also have had the following data exposed:
- Birth dates
- Other individual identifiers.
No proof of attempted or actual misuse of personal and protected health information as a result of the security breach has been detected to date.
USV Optical, in its release, said that it has been, and is still, working hard to investigate and address the data breach. They are focusing on identifying and alerting those who may have had their PHI impacted.
They are also aiming to examine internal data protection policies in order to identify opportunities to bolster the security that they provide.
This is the second major data breach to be reported by an eye care provider in recent weeks after Simon Eye Management revealed that it suffered an email security breach. This occurred when the PHI of 144,000 individuals was accessible for a period of time.
The USV Optical Inc. data breach has been made known to the Department of Health and Human Services’ Office for Civil Rights and the breach notice stated that it could have impacted as many as 180,000 people.
Breach notifications are currently being sent to those who have been identified as possibly impacted . This notification included some guidance on the measures that the group has implemented to protect client identities.