Eye clinic cyberattack may have exposed info from 500K patients
A cybersecurity incident at an Iowa group eye clinic could have exposed the personal information of nearly 500,000 current former patients.
According to a press release this week, back in February Wolfe Eye Clinic was the target of a deliberate cyberattack.
Because of the complexity scale of the incident, said the company, the full scope of potentially affected data was not realized until May 28.
“We take our responsibility to protect personal information in our control very seriously apologize for any concern or inconvenience this may cause,” said Luke Bland, chief financial officer at Wolfe Eye Clinic, in a statement.
“We continue to closely monitor the situation are committed to notifying past present patients about what happened what they can do to protect their information,” said Bland.
WHY IT MATTERS
Wolfe Eye Clinic runs 11 main clinics across the state, in addition to nine family vision centers, a surgical center more than 25 outreach locations.
According to the company, on February 8 an unauthorized third party tried to gain access to the company’s computer network then blocked access to some systems information.
After detecting the incident, said the organization, Wolfe Eye Clinic “responded immediately,” contracting the assistance of independent IT specialists forensic investigators to investigate.
The hackers demanded a ransom, according to the organization, which was not paid. Although it’s not clear how long the hackers had access to the information, the clinic said the full breadth of possibly exposed data was not realized until May 28. The investigation concluded on June 8.
This week, Wolfe began notifying the approximately 500,000 current former patients that their personal information may have been inappropriately accessed.
For some, that data may include their name, mailing address, date of birth Social Security number; for others, it may also include protected medical health information, said the company.
Wolfe Eye Clinic said it is taking steps to prevent a similar event from reoccurring by implementing additional safeguards security measures. It is also offering identity monitoring at no cost for a year to affected individuals.
The company said that to date there have not been reports of identity theft, but that it is notifying all potentially affected individuals “out of an abundance of caution.”
The news about the incident came on the heels of comments from U.S. Federal Bureau of Investigation Director Chris Wray to Senate appropriators about how to persuade ransomware attack victims to cooperate with law enforcement.
“If we don’t solve the riddle of how to get the private sector promptly transparently working with us – more more companies, I should say, are doing that all the time – but if we don’t make that sort of the norm, we’re going to have a heck of a time winning this conflict,” Wray said, according to reports.
THE LARGER TREND
Unfortunately, the Wolfe Eye Clinic is far from alone in dealing with cybersecurity incidents.
A report this month from Moody’s Investors Service found that cyber risk will likely remain high for the healthcare sector, leading to the potential for lost revenue, increased expenses elevated scrutiny.
But the federal government is flexing its enforcement muscles – or preparing to, anyway.
Earlier this month, Reuters reported that the U.S. Department of Justice would elevate ransomware investigations to a priority level similar to that of terrorism.
The Biden administration said it could even consider military action in response to cyber threats enabled by foreign nation-states.
ON THE RECORD
“Unfortunately, these types of cyber incidents have become all-too-common for health care providers of all sizes nationwide,” said Wolfe clinic’s Blin a statement. “We recognize the significance of this incident moved quickly to address it once we became aware of its occurrence.”
Kat Jercich is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.