Lessons Learned: Ophthalmology EHR Data Breach
Ophthalmology EHR Compromised
On December 4, 2021, EHR vendor Eye Care Leaders suffered a data breach, specifically of its cloud-based myCare Integrity platform. Eye Care Leaders provides 9,000+ physicians with EHR and PM solutions that are specific to ophthalmology. The security incident allowed for unauthorized access to the myCare Integrity’s EMR databases (hosted on AWS), followed by deletion of databases and security configuration files.
EHR, EMR, and PM platforms are the foundation of how covered entities operate – so what happens when there’s a security incident that impacts the availability of the EHR that your organization uses? What are the consequences if your EMR vendor exposes your PHI in a data breach?
What Happens if Your EHR is Compromised?
Eye Care Leaders was able to swiftly identify the data breach and restore some the databases and files from backups. In the forensic investigation, Eye Care Leaders found that, fortunately, the data breach did not allow unauthorized access to its clients’ systems, but patient information may have been exposed – information like patient names, dates of birth, medical record numbers, insurance, medications, and the type of care provided.
Although the breach occurred in December, Eye Care Leaders began notifying clients in March. As of May 2022, the following covered entities have reported their breaches to the HHS OCR, and have confirmed that Eye Care Leaders was the source of compromise:
- Ad Astra Eye: 3,684 individuals affected
- Frank Eye Center: 25,333 individuals affected
- ilumin: 14,984 individuals affected
- Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown: 194,035 individuals affected
- Northern Eye Care Associates: 8,000 individuals affected
- Summit Eye Associates: 53,818 individuals affected
- Allied Eye Physicians and Surgeons: 20,651 individuals affected
- EvergreenHealth: 20,533 individuals affected
Managing Third-Party Risk
When you entrust a third-party EHR vendor with access to your organization’s sensitive data and environment, you must make sure that vendor is doing their security due diligence. What controls do they have in place to protect your data? Do they have as stringent of a security program as you do?
Your internal IT team or managed service provider must be prepared to effectively manage third-party risk. Even if a vendor meets compliance standards (HIPAA, HITRUST, ONC Health IT Certification), that doesn’t guarantee that controls won’t fail or cyber attacks won’t be successful.
Cyber Risks within Ophthalmology
The ophthalmology sector, like all other healthcare specialties, are not excluded from cyber attacks. Every healthcare provider of any size can be a target because of the valuable information that they can access. Actually, specialty providers are especially attractive to attackers because of their typically small size and limited IT resources. Michael Hamilton, former CISO of the city of Seattle, told ISMG that the trends in 2021 indicated “threat actors are intentionally moving down-market to … clinics and specialty care organizations.”
- January 11, 2021: 20/20 Eye Care and Hearing Care Network notified 3.3 million individuals that their PHI had been exposed due to a leaky S3 bucket.
- January 13, 2021: Cochise Eye and Laser suffered a successful ransomware attack that encrypted its patient scheduling and billing software.
- September 3, 2021: U.S. Vision identified and reported suspicious activity on their network that compromised data.
- September 14, 2021: Simon Eye Management, a chain of eye care clinics, was compromised through unauthorized email access, which was an attempt to engage in wire transfer and invoice manipulation attacks.
These are just a handful of the security incidents reported by ophthalmology sector last year – but even these examples represent millions of compromised records. What a data breach cost your organization? Could your ophthalmology practice afford to recover from a successful cyber attack?
If you feel that you need a more effective strategy for managing vendor risk, Dedicated IT is here to help. As a managed service provider that specializes in healthcare, we know how to partner with EHR, EMR, and PM providers and support your security initiatives. Contact us today to get started.