- Iowa-based Jones Eye Clinic suffered a ransomware attack that may have compromised personal data on 40,000 patients, the Sioux City Journal reported Oct. 24.
Information that might have been exposed included patient full name, address, date of birth, date of service, medical record number, and a general description of the clinic visit or surgery. For some individuals, information might have also included Social Security number, insurance status, and claims data.
The information did not include other financial data such as bank account or credit card account.
In a statement, the Jones Eye Clinic and CJ Elmwood Partners, an affiliated surgery center, said they discovered that a cybersecurity incident had occurred involving personal information of its patients.
Jones Eye Clinic and the surgery center use a common computer network for patient billing and scheduling.
Affected individuals included patients of Jones Eye Clinic and patients of the surgery center who were registered or had services at either entity between Jan. 1, 2003, and Aug. 23, 2018.
On Aug. 23, 2018, Jones Eye Clinic discovered that the computer network suffered a ransomware attack. That same day, the clinic restored its system using backup information and ended the attack without paying the ransom.
While its systems were under attack, the clinic said there was the possibility that the attackers could have gained unauthorized access to PHI of patients of both Jones Eye Clinic and the surgery center. The clinic began an investigation, hired a forensic computer investigator, and notified the FBI.
The investigation found that ransomware was loaded on its system on Aug. 22. The experts' review indicated that, during the overnight hours, the attackers would have had the ability to access patient information contained in the patient billing and scheduling software.
Jones Eye Clinic stressed that the attack did not impact its electronic medical records. While unauthorized access to patients' billing and scheduling information might have occurred, it has not received evidence that the information has been misused.
Because there is a possibility that the information could have been accessed, Jones Eye Clinic is notifying all impacted individuals of this incident. The clinic is offering free credit monitoring services for one year to those impacted by the breach.
After discovering the incident, Jones Eye Clinic engaged several IT companies to assist with restoring the systems and deploying new technology to prevent future intrusions.
Missouri Admits to Contractor Breach Affecting 10,400 Individuals
The Missouri Department of Health and Senior Services announced Oct. 26 that personal information of 10,400 individuals was improperly retained by an IT contractor, who stored it in an electronic file that was not secured.
The information that was exposed included names, dates of birth, state ID number, and some Social Security numbers. The types and amount of personal information retained by the contractor varied by individual.
When the department discovered the breach on August 30, 2018, it took steps to secure the information. Since that time, it has been analyzing the data contained in the electronic file to determine the scope of the breach and find contact information for affected individuals.
The department said it has no reason to believe that the information was viewed or used by anyone intending harm. It has referred the matter to the appropriate legal authority to investigate and determine legal action.
“We have concerns that prior to September 30, 2016, a past contracted vendor may have acted illegally by retaining some names, dates of birth, identification numbers issued by some State agencies and a very limited number of Social Security numbers,” said Department Director Randall Williams.
“The State learned of this incident on the Thursday before Labor Day. We immediately worked with other State agencies over the Labor Day holiday to prevent any dissemination of this data now or in the future. Present leadership takes very seriously our requirement to protect information, and we have referred our findings to the appropriate law enforcement authority,” he explained.