Two eyecare provider groups have been hit with data breaches affecting a total of 324,000 individuals.
A breach at Simon Eye Management in Delaware was reported to the Department of Health and Human Services’ Office for Civil Rights on Sept. 14. Over 144,000 individuals were affected by the the hacking incident involving email.
According to to a notice from Simon Eye, “Our investigation revealed that the unauthorized third party attempted to engage in wire transfer and invoice manipulation attacks against the company, none of which were successful.”
The other breach, at USV Optical Inc., a U.S. Vision subsidiary based in New Jersey, was reported to the HHS Office for Civil Rights on Sept. 3. The hacking incident involving a network server affected 180,000 individuals.
Read the notices from the eyecare providers:
Simon Eye
Simon Eye Management (“Simon Eye”) recently became aware of suspicious activity related to certain employee email accounts. With the assistance of third-party computer forensic specialists, we took immediate steps to contain the incident and to investigate the nature and scope of the incident. Simon Eye is issuing this notice to provide additional details regarding what is known about the incident, the steps we are taking in response, and steps potentially impacted individuals can take, if deemed appropriate.
What Happened?
On or about June 8, 2021, Simon Eye initially became aware of suspicious activity related to certain employee email accounts. We immediately launched an investigation with the assistance of third-party specialists to determine the nature and scope of the activity. This investigation determined that there was unauthorized access to certain employee email accounts from May 12, 2021 to May 18, 2021. Our investigation revealed that the unauthorized third party attempted to engage in wire transfer and invoice manipulation attacks against the company, none of which were successful. However, because the unauthorized third party was able to access certain employee email accounts during this time period, we reviewed the entire contents of these mailboxes to identify whether any personal information could have been accessed. To be clear, Simon Eye has uncovered no evidence that any employee or patient information was misused. Nevertheless, out of an abundance of caution, Simon Eye is providing this notice to any patients and employees whose information was within the affected mailboxes. Moreover, our internal efforts to identify contact information to directly notify those potentially impacted are ongoing.
Advertisement
What Information Was Involved?
The information that may have been impacted by this incident could have included one or more of the following: an individuals’ name; medical history; treatment or diagnosis information; health information; health insurance information, including policy and/or subscriber information; insurance application and/or claims information; and for a smaller number of individuals it may have included their Social Security number, date of birth, and/or financial account information. Importantly, to date, we have no evidence of any misuse of any data as a result of this incident.
What Are We Doing?
Simon Eye takes the confidentiality, privacy, and security of information in our care seriously. Upon discovery, we immediately reset user passwords, implemented additional data security protocols and commenced an investigation to confirm the nature and scope of the incident. We will continue to evaluate and implement additional safeguards. We are also reporting this incident to relevant state and federal regulators. Further, once we complete the review of the impacted data, we will be notifying potentially impacted individuals so that they may take further steps to help protect their information, should they feel it is appropriate to do so.
What Can Affected Individuals Do?
While we have no evidence of identity theft or fraud occurring as a result of this incident, we encourage potentially impacted individuals to review the below, Steps You Can Take to Help Protect Your Information.
For More Information.
We understand you may have additional questions concerning this incident. Individuals can direct questions to (855) 884-8171 from 9:00 a.m. to 9:00 p.m., Eastern Time, Monday through Friday.
USV Optical
USV Optical, Inc., a subsidiary of U.S. Vision, Inc., (“U.S. Vision”) recently became aware of potentially suspicious activity on our computer network that may have impacted the security of certain information on those systems. With the assistance of third–party computer forensic specialists, we took immediate steps to contain the incident and to investigate the nature and scope of the incident. U.S. Vision is issuing this notice to provide additional details regarding what is known about the incident, the further steps we are taking in response, and steps potentially impacted individuals can take, if deemed appropriate.
What Happened? On May 12, 2021, U.S. Vision identified potentially suspicious activity involving our servers and systems. We began investigating the activity with the assistance of third–party computer forensic specialists to determine the nature and scope of the incident. This investigation confirmed there was unauthorized access to certain servers and systems between April 20, 2021 and May 17, 2021. That investigation is ongoing. However, the investigation determined that records related to certain customers and employees may have been viewed and/or taken by an unauthorized individual as a result of this incident. Therefore, U.S. Vision is notifying potentially impacted individuals that their information may have been at risk.
What Information Was Involved? While the investigation is ongoing, the information that may have been impacted by this incident includes individuals’ name, eyecare insurance information including policy and/or subscriber information, eyecare insurance application and/or claims information, and for a smaller number of individuals may include address, date of birth, and/or other individual identifiers. We have no evidence of any identity theft or fraud occurring as a result of this incident.
What Is U.S. Vision Doing? We take this incident and the security of information in our care seriously. Upon discovery, we launched an investigation and took steps to secure our systems. We worked diligently to investigate and respond to this incident and continue working to identify and notify potentially impacted individuals. We are also reviewing and enhancing existing policies related to data protection. We are reporting this incident to relevant state and federal regulators as required. Further, we are notifying potentially impacted individuals so that they may take further steps to help protect their information, should they feel it is appropriate to do so.
What Can Affected Individuals Do? While we have no evidence of identity theft or fraud occurring as a result of this incident, we encourage everyone to review the below, Steps You Can Take to Help Protect Your Information.
For More Information. We understand you may have additional questions concerning this incident. Individuals can direct questions to the telephone number 866–435–7111, during working hours: Monday through Friday from 8:30 am to 10:00 pm ET and Saturday from 9:00 am to 5:30 pm ET.
Advertisement
