By Haley Williams

As we reach the middle of the year, let’s take a moment to look back, reflect, and learn from some of the key third-party breaches of 2022 where healthcare continued to be a top target. Managing vendors and staying aware of who holds your data is a full time job. Each one has a different set of security measures and rarely is your data shared with just one individual or team. In the world of healthcare, where PII is extremely sensitive and systems are often out-dated, opportunities are rampant for threat actors.

Over 500,000 Individuals Were Victim to the Eye Care Leaders EMR Data Breach

Eye Care Leaders, an EMR solution, notified all impacted companies in early March that they had been compromised due to a third-party data breach. This impact first encapsulated 16 companies, and over 500,000 individuals.

The 16 companies impacted include:

  • EvergreenHealth: 21,000 individuals impacted
  • Arkfeld, Parson, and Goldstein, P.C. doing business as ilumin: 14,984 individuals impacted
  • Northern Eye Care Associates: 8,000 individuals impacted
  • Ad Astra Eye: 3,700 individuals impacted
  • Regional Eye Associates: 194,035 individuals impacted
  • Moyes Eye Center: 38,000 individuals impacted
  • Burman & Zuckerbrod Ophthalmology Associates: 1,337 individuals impacted
  • Shoreline Eye Group: 57,047 individuals impacted
  • Finkelstein Eye Associates: 58,587 individuals impacted
  • Sylvester Eye Care: 19,377 individuals impacted
  • Associated Ophthalmologists of Kansas City: 13,461 individuals impacted
  • Fishman vision: 2,646 individuals impacted
  • AU Health: 50,631 individuals impacted

As months have passed, that number has grown to 2.9 million patients impacted, and the company list has grown as well.

Affected Eye Care ProviderBreached Records
Texas Tech University Health Science Center1,290,104
Stokes Regional Eye Centers in South Carolina266,170
Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown in West Virginia194,035
Spectrum Eye Physicians in California175,000
Mattax Neu Prater Eye Center in Missouri92,361
Sight Partners Physicians in Washington86,101
Texas Eye Associates75,092
Carolina Eye Care Physicians in South Carolina68,739
Precision Eye Care in Missouri58,462
Shoreline Eye Group in Connecticut57,047
Summit Eye Associates in Tennessee53,818
AU Health in Georgia50,631
Finkelstein Eye Associates in Illinois48,587
Aloha Laser Vision in Hawaii43,263
Center for Sight in Massachusetts41,041
Moyes Eye Center, PC in Missouri38,000
McCoy Vision Center in Alabama33,930
Chesapeake Eye Center in Maryland32,770
Long Vision Center in Texas29,237
Frank Eye Center in Kansas26,333
Lori A. Harkins MD, P.C. dba Harkins Eye Clinic in Nebraska23,993
Allied Eye Physicians & Surgeons in Ohio20,651
EvergreenHealth in Washington20,533
Sylvester Eye Care in Oklahoma19,377
Cherry Creek Eye Physicians and Surgeons, P.C. in Colorado17,732
Arkfeld, Parson, and Goldstein, dba Ilumin in Nebraska14,984
Associated Ophthalmologists of Kansas City, P.C. in Missouri13,461
Kernersville Eye Surgeons in North Carolina13,412
Northern Eye Care Associates in Michigan8,000
Sharper Vision in Kansas6,891
Ad Astra Eye in Arkansas3,684
Fishman Vision in California2,646
Burman & Zuckerbrod Ophthalmology Associates, P.C. in Michigan1,337
Total2,927,422

This healthcare data breach was caused by individuals gaining unauthorized access to systems, deleting databases, and altering data. The access allowed threat actors to release and compromise data including patient names, dates of birth, medical record numbers, health insurance information, Social Security numbers, and information regarding the care received at the affected eye care practices.

To stay updated on other data breaches caused by third parties, check out our dedicated webpage →

Data Breach at MCG Health Impacted 8 Organizations and Nearly 800 Thousand Individuals

Similar to the breach at Eye Care Leaders, the MCG Health attack was also due to unauthorized access of data systems. This unauthorized access is often caused by actions like:

  • Weak passwords
  • Failure to implement MFA
  • Phishing and social engineering
  • Vulnerable, out-dated, or compromised accounts
  • Malicious insiders

MCG is a technology and AI-solution for patient care guidelines. The compromised data was PII including names, addresses, phone numbers, gender, dates of birth, medical codes, and Social Security numbers.

This cyber attack impacted 793,283 individuals and 8 organizations, with those organizations having released notices about the attack. These include:

PFC USA Data Breach Impacts Patients of over 650 Healthcare Providers

PFC is a debt collection services provider – a leader in helping U.S. healthcare providers recover unpaid medical bills, with many clients also in retail, financial services, and government. The PFC data breach was caused by a ransomware attack in February 2022. The company began the process of notifying impacted organizations last week ahead of the July 4th holiday. So far, the full impact of individuals has not been released, but with over 650 healthcare providers impacted, the number is surely to be in line with the other two attacks detailed above.

The sensitive information gathered by the attackers included names, addresses, birth dates, accounts receivable balance and payments information, Social Security numbers, and health insurance and medical treatment information.

Want to stay up to date with other big cyber news events? Check out our weekly news bites segment, updated every Friday with our CISO Bob Maley or Cyber Risk Evangelist Jeffrey Wheatman.

Weekly Bites