Eye clinic cyberattack may have exposed info from 500K patients
Photo: Optometrist, Neon Tommy/Flickr, licensed under CC BY-SA 2.0
A cybersecurity incident at an Iowa group eye clinic could have exposed the personal information of nearly 500,000 current and former patients.
According to a press release this week, back in February Wolfe Eye Clinic was the target of a deliberate cyberattack.
Because of the complexity and scale of the incident, said the company, the full scope of potentially affected data was not realized until May 28.
"We take our responsibility to protect personal information in our control very seriously and apologize for any concern or inconvenience this may cause," said Luke Bland, chief financial officer at Wolfe Eye Clinic, in a statement.
"We continue to closely monitor the situation and are committed to notifying past and present patients about what happened and what they can do to protect their information," said Bland.
WHY IT MATTERS
Wolfe Eye Clinic runs 11 main clinics across the state, in addition to nine family vision centers, a surgical center and more than 25 outreach locations.
According to the company, on February 8 an unauthorized third party tried to gain access to the company's computer network and then blocked access to some systems and information.
After detecting the incident, said the organization, Wolfe Eye Clinic "responded immediately," contracting the assistance of independent IT specialists and forensic investigators to investigate.
The hackers demanded a ransom, according to the organization, which was not paid. Although it's not clear how long the hackers had access to the information, the clinic said the full breadth of possibly exposed data was not realized until May 28. The investigation concluded on June 8.
This week, Wolfe began notifying the approximately 500,000 current and former patients that their personal information may have been inappropriately accessed.
For some, that data may include their name, mailing address, date of birth and Social Security number; for others, it may also include protected medical and health information, said the company.
Wolfe Eye Clinic said it is taking steps to prevent a similar event from reoccurring by implementing additional safeguards and security measures. It is also offering identity monitoring at no cost for a year to affected individuals.
The company said that to date there have not been reports of identity theft, but that it is notifying all potentially affected individuals "out of an abundance of caution."
The news about the incident came on the heels of comments from U.S. Federal Bureau of Investigation Director Chris Wray to Senate appropriators about how to persuade ransomware attack victims to cooperate with law enforcement.
"If we don't solve the riddle of how to get the private sector promptly and transparently working with us – and more and more companies, I should say, are doing that all the time – but if we don't make that sort of the norm, we're going to have a heck of a time winning this conflict," Wray said, according to reports.
THE LARGER TREND
Unfortunately, the Wolfe Eye Clinic is far from alone in dealing with cybersecurity incidents.
A report this month from Moody's Investors Service found that cyber risk will likely remain high for the healthcare sector, leading to the potential for lost revenue, increased expenses and elevated scrutiny.
But the federal government is flexing its enforcement muscles – or preparing to, anyway.
Earlier this month, Reuters reported that the U.S. Department of Justice would elevate ransomware investigations to a priority level similar to that of terrorism.
The Biden administration said it could even consider military action in response to cyber threats enabled by foreign nation-states.
ON THE RECORD
"Unfortunately, these types of cyber incidents have become all-too-common for health care providers of all sizes nationwide," said Wolfe clinic's Bland in a statement. "We recognize the significance of this incident and moved quickly to address it once we became aware of its occurrence."
Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.