Eye Care EMR Breach

An ophthalmology EMR solution, Eye Care Leaders, announced that it had been breached. The EMR first discovered the incident in December 2021. Upon investigation into the incident, it was found that at least eight eye care providers were impacted, affecting upwards of 342,000 patients. Providers affected by the EMR breach were notified of the incident on March 1, 2022, so that they may take steps to notify patients.

What Did the Breach Notice Tell Us?

According to the breach notices sent to patients, the EMR breach occurred when a data security incident allowed unauthorized access to the system. As a result, the unauthorized party was able to delete information from the EMR.  

One of the eye care providers, Regional Eye, stated in a breach notice, “We regret to inform you that our practice learned that our third-party vendor used for electronic medical records had a breach which may involve your personal health information… Our vendor informed us that the incident involved an individual who gained access to our vendor’s system on December 4, 2021. This individual deleted several databases between the hours of 7:18 pm and 10:13 p.m. before being discovered and locked out of the system. At this time, we do not have any evidence which leads us to believe that any personal health information was exfiltrated, but the investigation is ongoing.”

Eye Care Leaders informed the affected providers that they had taken steps to prevent incidents from occurring in the future. They have “… implemented technical, administrative, and physical safeguards to protect against future attacks. This includes reviewing and updating access controls, permissions, and data storage security procedures.”

Let’s Simplify Compliance

HIPAA and cybersecurity go hand-in-hand. Protect your practice by becoming compliant today!

Learn More!
HIPAA Seal of Compliance

Which Eye Care Providers Were Affected?

So far, eight eye care providers have reported that they were affected by the EMR breach. The providers affected have been listed on the Office for Civil Rights (OCR) online breach portal.

  • Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown: 194,035 individuals impacted
  • Summit Eye Associates: 54,000 individuals impacted
  • Frank Eye Center: 26,333 individuals impacted
  • Allied Eye Physicians and Surgeons: 20,651 individuals impacted
  • EvergreenHealth: 21,000 individuals impacted
  • Arkfeld, Parson, and Goldstein, P.C. doing business as ilumin: 14,984 individuals impacted
  • Northern Eye Care Associates: 8,000 individuals impacted
  • Ad Astra Eye: 3,700 individuals impacted

Recovering From a Breach

Although it is unclear which providers (if any) have regained access to files stored on the EMR, as a rule, it is essential to have an incident response plan in place. An effective incident response plan – including offsite data backup and disaster recovery – aids in restoring files and returning to business as usual. Providers with a tested incident response plan drastically reduce the time (and money saving $360,000) it takes to recover from an incident.