Four months after the first wave of provider notices, Wolfe Clinic has informed about 543,000 patients that their data was likely accessed or deleted during the December 2021 Eye Care Leaders ransomware attack. (Photo credit: "Navy Ophthalmologist Conducts Eye Exam at Naval Hospital Camp Pendleton 190503-N-NW961-0681" by NavyMedicine is marked with Public Domain Mark 1.0.)

The Wolfe Clinic recently disclosed to the Department of Health and Human Services that the data of 542,776 of its patients was among the information accessed, deleted, and possibly taken during the ransomware attack on Eye Care Leaders in December.

In total, the massive ECL breach tally is now just shy of 3.6 million affected patients and remains the largest healthcare data breach reported so far this year. However, the size of the breach impact is only one troubling element of the ongoing fallout.

Namely, many of the impacted providers were not informed until well after the 60-day requirement outlined in The Health Insurance Portability and Accountability Act, which means that the provider notifications were also delayed by weeks and even months. In the case of Wolfe Clinic, its notice came over four months after the first ECL clients issued similar breach notifications. 

In addition, the reported December 2021 incident followed several other ransomware attacks and outages providers claim were concealed by ECL. A recent SC Media analysis details the alleged stonewalling. 

No new insight from ECL notification to Wolfe Clinic regarding attack

The Wolfe Clinic notice does not detail when ECL first notified the provider of the attack. It only reiterates the previous notices: a ransomware attack struck the ECL myCare Integrity system “on or around December 4, 2021.” The attacker then accessed data stored in the system and deleted databases and system configuration files.

ECL lacked the forensic evidence needed to rule out the possibility that personally identifiable information and some protected health information was exposed. For Wolfe Clinic, the data could include names, contact information, dates of birth, Social Security numbers, diagnostic details, and health insurance information.

The notice also notes that the clinic “was using” the ECL electronic medical records platform at the time of the attack, which could suggest the provider has since changed vendors. The provider also stressed that the incident was confined entirely to the ECL network environment, and “there were no other remedial actions available to Wolfe.”

Wolfe Clinic's second HIPAA reporting delay regarding a breach

SC Media reached out to the provider for comment on the delay in notification, but did not receive a response by the time of publication.

It’s important to note the delayed notice, as this is the Wolfe Clinic’s second slow notification over a ransomware-related incident within the last year. In June 2021, the provider informed 527,378 patients that their data was accessed and likely stolen during a ransomware attack that occurred more than four months after it was disclosed.

The security team found a threat actor attempting to access the network on Feb. 8, which it later found had resulted in unauthorized disclosure of names, contact details, dates of birth, and SSNs, as well as medical and health information for a smaller subset of patients.

At the time, Wolfe Clinic explained the cause of the delay was due to the complexity and scope of the incident, which was not understood until June 8.

Healthcare providers often struggle with breach responses, while working to investigate and remediate the impact of the security incidents. However, failure to meet that balance can lead to reputational harms and regulatory fines. When it comes to timing, the HIPAA requirement is clear but reporting gaps are not always intentional.

Investigations are often complex, particularly within an email environment or a vendor-based incident.