Before the recent ransomware attack on MyEyeDr. Optometry in Colorado P.C, which is a network of offices offering vision care, some protected health information (PHI) of 1,475 Colorado residents were potentially compromised.
The attacker accessed part of the MyEyeDr. systems on December 11, 2019 then downloaded and deployed the ransomware. MyEyeDr. immediately took action to block further unauthorized access and regain all impacted patient records. The network did not pay the ransom demand.
Although most of the encrypted data can be restored, certain files were not recovered and stayed encrypted. An independent computer forensics company investigated the attack to know if the attackers stole any information before file encryption. The forensics company did not find any evidence that indicates the exfiltration of data and believed that the attackers only encrypted files with the intent to extort money from MyEyeDr.
The patient information contained in the affected systems included names, birth dates, diagnoses, clinical data, and treatment details. The attack only affected the patients who received services at Colorado MyEyeDr. locations from December 1 to December 10, 2019.
7,983 Today’s Vision Willowbrook Patients Affected by Improper Disposal Incident
MyEyeDr. also encountered another breach that resulted in the compromise of the PHI of 7,983 patients from Today’s Vision Willowbrook. Capital Vision Services, dba MyEyeDr. acquired Today’s Vision Willowbrook in February 2019.
Some time in May 21, 2019, MyEyeDr. found out that Today’s Vision Willowbrook patients’ historic records were disposed of in an inappropriate manner. The patient records should have been securely destroyed. Instead, they were discarded in a dumpster within Tomball, Texas.
The compromised records included the following patients’ data: names, addresses, birth dates, Social Security numbers, clinical data, and billing data. The information belonged to patients who went to Today’s Vision Willowbrook from 1997 t 2003.
The media reported about the improper disposal and local law enforcement officials went to the dumpster and gathered the patient records. According to MrEyeDr., because of the quick action of Tomball’s police in getting the records, it is believed that unauthorized third parties did not have any opportunity to misuse any of the information included in the patient records.
MyEyeDr. stated that no MyEyeDr. employee had possession of the records and that employees of Today’s Vision Willowbrook did not appear to have dumped the patient records.