8 More Orgs Added to Eye Care Leaders EMR Data Breach Tally

June 08, 2022 - Eye Care Leaders, which offers an ophthalmology-specific EMR solution, experienced unauthorized access to its myCare Integrity system in December 2021.

Since notifying impacted eye care practices on March 1, practices have begun notifying impacted individuals of the third-party breach, which impacted at least 16 known organizations and upwards of 583,700 individuals.

Below is a running list of known eye care practices that reported the incident to the Office for Civil Rights as of June 8. For more details about the breach, go here:

• EvergreenHealth: 21,000 individuals impacted
• Arkfeld, Parson, and Goldstein, P.C. doing business as ilumin: 14,984 individuals impacted
• Northern Eye Care Associates: 8,000 individuals impacted
• Ad Astra Eye: 3,700 individuals impacted
• Regional Eye Associates: 194,035 individuals impacted
• Moyes Eye Center: 38,000 individuals impacted
• Burman & Zuckerbrod Ophthalmology Associates: 1,337 individuals impacted
• Shoreline Eye Group: 57,047 individuals impacted
• Finkelstein Eye Associates: 58,587 individuals impacted
• Sylvester Eye Care: 19,377 individuals impacted
• Associated Ophthalmologists of Kansas City: 13,461 individuals impacted
• Fishman vision: 2,646 individuals impacted
• AU Health: 50,631 individuals impacted

Law Firm Suffers Breach Impacting 115K New York Presbyterian Hospital Patients

Law firm Heidell, Pittoni, Murphy, & Bach (HPMB), which serves as litigation counsel for New York Presbyterian Hospital, disclosed a breach to OCR impacting 114,979 individuals. The business associate handles medical malpractice cases for the hospital and receives medical records for some patients, a letter sent to patients and posted on the Vermont Attorney General’s Office website explained.

HPMB detected suspicious activity within its network environment on December 25, 2021. Further investigation revealed that an unauthorized party “gained control over certain of the firm’s information until HPMB was able to negotiate its return,” the letter stated.

By April 22, HPMB determined that names, birth dates, medical treatment information, and Social Security numbers were part of the data that the threat actors accessed and briefly held.

“Upon detecting this suspicious activity, we moved quickly to initiate a response, which included conducting an investigation with the assistance of third-party forensic specialists and confirming the security of our network environment,” HPMB reiterated.

“We have ensured that no further unauthorized activity has continued. We have also reviewed and updated our policies and procedures relating to the security of our systems and servers, as well as our information life cycle management.”

Homestead Hospice and Palliative Care Data Security Incident Lasts For 1 Year

Georgia-based Creative Hospice Care, also known as Homestead Hospice and Palliative Care, discovered that an unauthorized actor accessed a limited number of employee email accounts between April 1, 2021 and March 31, 2022. The incident impacted 28,332 individuals.

During its investigation, Homestead also learned that some former Homestead employees never returned their work laptops.

“We have contacted the former workforce members to confirm that patient information contained on the laptops, if any, has not been misused or disclosed,” the website notice also stated.

The investigation concluded that patient names, addresses, medical record numbers, birth dates, Social Security numbers, clinical information, and health insurance information were impacted.

“Homestead takes the safeguarding of patients’ information extremely seriously, and we deeply regret any inconvenience or concern this may cause,” the notice continued.

“To help prevent something like this from happening again, we are reinforcing education with our staff on patient privacy and have implemented additional security measures to enhance our email security.”