Luxottica, a business associate that owns popular eye care clinic chains including Target Optical, EyeMed, and LensCrafters, fell victim to a breach that affected 829,454 patients. More details on the business associate breach are discussed below.
Business Associate Breach: What Happened?
On August 5, Luxottica’s appointment scheduling app had been hacked, although they did not discover the hack until a few days later. Upon discovering the hack, Luxottica launched an investigation into the incident. The investigation uncovered that 829,454 patients’ protected health information (PHI) was compromised due to the business associate breach.
The PHI that was potentially accessed included full patient names, contact information, appointment dates and times, health insurance policy numbers, and doctor or appointment notes that may indicate information related to eye care treatment, such as prescriptions, health conditions or procedures. In addition, some patients’ Social Security numbers and credit card numbers were compromised.
At this time Luxottica has no evidence that PHI has been misused, however, there is always potential for serious implications when a patient’s Social Security number or financial information is exposed.
Patients affected by the breach will receive a breach notification letter in the mail. In addition, Luxottica released the following statement regarding the business associate breach, “We encourage potentially impacted individuals to remain vigilant. If you discover any suspicious activity on your accounts or if you suspect identity theft or fraud, report it immediately to your health plan or insurer. We regret that this incident occurred and take our data protection responsibilities very seriously. We have taken measures to enhance our security controls and prevent this type of incident from recurring, including implementing additional access restrictions on our patient scheduling platform. We also notified federal law enforcement of this matter.”
