EyeMed Phishing Attack Exposes Tufts Health Plan Members’ PHI


60,545 subscribers to Tufts Health Plan have had their protected health information infiltrated as result of a phishing attack on the vision benefits management firm EyeMed.

The phishing attack happened in June 2020 and was identified by EyeMed on July 1, 2020. Access to the breached account was shut down the same day. EyeMed alerted Tufts Health Plan about the breach in September 2020.

The impacted email account contained the following range of protected health information: Names, addresses, dates of birth, phone numbers, email addresses, vision insurance account/identification numbers, health insurance account/identification details, Medicaid or Medicare numbers, driver’s license or other government identification numbers, and birth or marriage certificates. Part of or complete social security numbers and/or financial information, medical diagnoses and conditions, treatment information, and/or passport numbers were included for some people.

Impacted individuals have been given the chance to avail of a two-year free membership to credit monitoring and identity protection services.

Elsewhere, two proton radiation therapy centers in Tennessee have been impacted by a security incident. The attack occurred in the early hours of October 28, 2020 and affected The Proton Therapy Center, LLC in Knoxville and MTPC, LLC in Nashville.

The attack has caused continued disruption to some clinical and financial operations, although care continues to be delivered safely and effectively. Efforts are underway to mitigate the attack and established back-up processes including offline documentation methods have been adopted.

The review into the breach has not unearthed any proof of anything to indicate patient or employee information was duplicated, accessed, or improperly used.

Finally, St. Paul, MN-located Liv-On Family Care Center is contacting 1,580 patients that computer equipment holding their protected health information was stolen in a break-in on October 25, 2020.

The thieves took computers, laptops, and tablets that were holding information including patients’ names, date of births, addresses, social security numbers, medical records, and other data . The devices were password protected, but not include encryption, so there is also potential for PHI to be accessed. The theft has been made known to the relevant law enforcement agencies, but the stolen computer equipment has not been retrieved.