Breach, Ransomware, Data Security

180K patients affected by USV Optical systems hack, health data theft

A patient receives an eye exam at a health clinic on July 22, 2017. (Photo by John Moore/Getty Images)

USV Optical notified 180,000 patients and employees that their health information was accessed and potentially stolen during a near monthlong systems hack in April and May 2021. USV Optical is part of U.S. Vision, a subsidiary of the optometric dispensary chain Refac Optical Group, which commonly operates out of large department stores.

On May 12, USV discovered unusual activity on its servers and systems and launched an investigation with assistance from a third-party computer forensics specialist firm to determine the scope of the incident.

The investigation found that an attacker first gained access to the network on April 20, evading detection for nearly a month until they were detected on May 17. The hack enabled the actors to view and or exfiltrate a number of records belonging to both patients and employees.

The data included names, insurance information, subscriber details, claims information, and insurance applications. For a smaller subset of individuals, the information could include contact information, dates of birth, and other personally identifiable information. In response, USV is currently reviewing and bolstering its existing data protection policies.

Simon Eye Management email hack impacts 144K patients

The hack of multiple employee email accounts at Simon Eye Management led to the compromise of information tied to 144,373 patients.

After observing suspicious activity within an employee email account on June 8, Simon Eye began investigating with support from third-party specialists that found several employee email accounts were accessed between May 12 and May 18, 2021.

The investigators determined the attackers used the access to unsuccessfully launch a number of wire transfer and invoice manipulation attacks against Simon Eye. While it appears the malicious activity was the driving force behind the account hacks, the investigation could not rule out data access.

The compromised accounts contained information that varied by patient and could include medical histories, treatments, diagnoses, health information, health insurance details, insurance applications, claims data, and other sensitive information. For some patients, Social Security numbers, financial account details, and dates of birth were also affected.

Simon Eye responded to the incident by resetting user passwords and strengthening data security protocols. The specialist is continuing to evaluate its safeguards and will implement additional controls, where needed.

‘Sophisticated’ tech enables actors to evade detection on Austin Cancer networks

A cyberattack on Austin Cancer Centers led to the compromise of data belonging to 36,503 patients. According to its detailed breach notice, the threat actors hacked into the system on July 21 and used “sophisticated technology” to evade detection for two weeks, before deploying malware on Aug. 4.

The cyberattack and subsequent discovery of the systems attack prompted the security team to shut down the systems and contact law enforcement. In total, the security incident lasted for 14 days as the forensics team worked to identify and uncover the attack details.

Further, the incident led to prolonged outages of Austin Cancer Center’s technology systems, with the care team employing manual processes to maintain patient care and treatments.

As a result of the hack, the attackers may have been able to access some protected health information, including SSNs, diagnoses, codes, medications, lab results, conditions, insurance carrier names, current procedural terminology codes, and other related information. For a limited number of patients, credit card information may have been impacted.

Austin Cancer Centers has been working with a third-party forensics team throughout the attack and recovery efforts, including full restoration of data. The FBI and local police department were also notified.

All staff have been retrained on security matters, and the provider has implemented additional technical safeguards to prevent a recurrence. All systems and operations have since been fully restored.

Horizon House notifies patients of March ransomware attack, data theft

Individuals who’ve received services from Horizon House in Philadelphia are just now being notified that their data was potentially stolen during a ransomware-related incident in March. Horizon is a nonprofit, daytime-only homeless shelter that provides behavioral health, outpatient, community-based treatment, and other services.

Under the Health Insurance Portability and Accountability Act, covered entities and relevant business associates are required to report data breaches impacting more than 500 patients within 60 days of discovery.

On March 5, Horizon Health detected abnormal activity on its systems and launched an investigation, while working to restore its systems. They found that the attacker was able to view and possibly exfiltrate a range of health-related data during the course of a few days.

The data included names, contact details, SSNs, driver’s licenses, medical record numbers, patient account numbers, financial account details, claims data, health insurance information, dates of birth, diagnoses, treatments, and other medical information. This type of data is commonly used for health care fraud attempts.

Horizon Health has notified law enforcement and has worked to assess its systems security.

Texoma Community Center reports monthslong email hack from 2020

The data belonging to 24,030 patients and employees of Texoma Community Center was compromised over the course of several months last year, after the hack of multiple employee email accounts. TCC provides mental health, behavioral health, and developmental disability services to patients in Sherman, Texas.

TCC first discovered the hack on October 20, 2020, after observing several email accounts sending unauthorized messages. An investigation supported by an outside computer forensics firm found that the attacker had access to the accounts between Sept. 24, 2020 and Dec. 1, 2020.

The investigators were unable to determine which email messages the attacker may have viewed, which prompted a review of the accounts’ contents. The manual account review did not conclude until July 15, which found the compromised data varied by patient. Again, under HIPAA, covered entities are required to notify patients within 60 days of discovery.

The data contained a trove of highly sensitive information, including names, dates of birth, medical histories, treatments, diagnoses, health data, insurance details, insurance applications, military IDs, facial photographs, unique biometric data, digital signatures, driver’s licenses, vehicle identification numbers, and even usernames and passwords. 

For some patients, SSNs, driver’s licenses, credit cards, or financial account details.

TCC has since reset all employee passwords and secured the impacted accounts. The provider is currently implementing further safeguards and providing staff with additional security training.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.