Ransomware, Incident Response, Breach

Another 1.3M patients added to data breach tally of ransomware attack on Eye Care Leaders

About 1.3 million patients whose data was breached in a ransomware attack on EHR vendor Eye Care Leaders were added to HHS’s breach reporting tool. Pictured: Glasses are on display at the 628th Medical Group Optometry Clinic Jan. 31, 2022, at Joint Base Charleston, S.C. (Airman 1st Class Ashlee Galloway/Air Force)

Approximately 1.29 million patients of Texas Tech University Health Sciences Center have been added to the ongoing fallout from the Eye Care Leaders ransomware attack and data theft from December 2021.

ECL is a cloud-based, ophthalmology-specific electronic health record (EHR) and practice management vendor based in North Carolina.

Added to the Department of Health and Human Services breach reporting tool Wednesday night, the massive TTUHSC tally makes it the hardest-hit provider by the ECL breach. A total of 58,642 Precision Eye Care patients and 23,993 Harkins Eye Clinic patients were added to the tally Wednesday, as well.

The TTUHSC notice shows the ECL incident compromised a range of patient data, including names, driver’s licenses, emails, genders, dates of birth, medical record numbers, health insurance details, appointment information, Social Security numbers, and medical data tied to services received at the TTUHSC ophthalmology center.

Over the last few weeks, covered entities have released breach notices detailing the ECL “data security incident.” An attacker accessed the EMR platform and its data, tied to a range of healthcare clients. During the dwell time, the actor deleted databases and system configuration files.

Upon discovering the hack, ECL shut down the EMR platform and launched an investigation, which could not conclusively rule out access to patient health data.

So far, at least 20 covered entities have issued notices tied to the ECL ransomware attack, including: 

  • EvergreenHealth (20,533)
  • Allied Eye Physicians & Surgeons (20,651)
  • Summit Eye Associates (53,818)
  • Affiliated Eye Surgeons (23,400)
  • Northern Eye Care Associates (8,000)
  • Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown (194,035)
  • Frank Eye Center (26,333)
  • Ad Astra Eye (3,684)
  • Moyes Eye Center (38,000)
  • Finkelstein Eye Associates (48,587)
  • Sylvester Eye Care (19,377)
  • Shoreline Eye Group (57,047)
  • AU Health (50,631)
  • Associated Ophthalmologists of Kansas City (13,461)
  • Fishman Vision (2,646)
  • Burman & Zuckerbrod Ophthalmology Associates (1,337)
  • McCoy Vision Center (33,930)
  • Texas Tech University Health Sciences Center (1.29 million)
  • Precision Eye Care (58,462)
  • Harkins Eye Clinic (23,993)

For the majority of the providers, the compromised data was limited to patient names, SSNs, dates of birth, medical record numbers, health insurance details, and treatment information. 

A total of 1,987,925 patients have been included in the breached data thus far, putting the ECL incident on pace to become the largest healthcare data breach in 2022. The singular incident is severe enough on its own, but combined with the allegations in a provider-led lawsuit, the vendor has had a tumultuous year of security issues.

Although ECL has not confirmed or denied the allegations, several providers have accused ECL of concealing multiple ransomware attacks and prolonged periods of EMR downtime throughout the year that were not tied to the December incident. SC Media previously connected the dots on all of the allegations in an in-depth report.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.