Hack at Services Firm Hits 24 Million Eye Doctor Patients

p
Breach Notification

Cybercrime

Fraud Management Cybercrime
ppAn Arizona firm that provides administrative services to about a dozen ophthalmology practices in several states is notifying nearly 24 million patients of a November hacking incident that may have compromised its sensitive informationppSee Also NHS Ransomware Attack Healthcare Industry Infrastructures Are CriticalppThe data theft is among the latest major hacking incidents reported to regulators by HIPAAregulated business associates Last year 4 in 10 hacks involved a thirdparty vendor providing one or more of a wide range of services from bill collecting to transcribing notes to scores of healthcare organizationsppMedical Management Resource Group which does business as American Vision Partners works with and shares a management system IT and infrastructure with 12 practices according to its website The incident involved the hack of a network server and affected more than 235 million individuals the company said in a Feb 6 report to the Department of Health and Human ServicesppThe Tempe Arizonabased firm said that on Nov 14 it had detected unauthorized activity on certain parts of its network MMRG said it had promptly taken steps to contain the incident including isolating the affected system and engaging assistance from outside cybersecurity firms The company said it also had notified law enforcement and has taken additional actions to further secure its IT systemsppMMRG said that around Dec 6 it determined that the unauthorized party in the November incident had obtained personal information associated with patients of its affected practices ppThe compromised information varies among patients but may include names contact information birthdates and medical information including services received clinical records and medications For some individuals the hack also affected Social Security numbers and insurance informationppIn a breach notice MMRG advised affected individuals to take certain steps to help protect their sensitive information in the wake of the incident including keeping a close eye on their credit reports and reviewing their account statements MMRG is offering affected individuals two years of complimentary identity and credit monitoringppMMRG did not immediately respond to Information Security Media Groups request for additional details about the incident including how many of its ophthalmology practice clients had been affectedppPractices listed on the website include several Arizonabased practices Barnet Dulaney Perkins Eye Center Southwestern Eye Center MM Eye Institute Retinal Consultants of Arizona Aiello Eye Institute and Moretsky Cassidy Vision Correction two Nevada practices Abrams Eye Institute and Wellish Vision Institute two in Texas West Texas Eye Associates and Laser Eye Center of Lubbock one in New Mexico Southwest Eye Institute and one in central California Vantage Eye CenterppThe MMRG incident is one of the latest major health data breaches involving thirdparty services firms In 2023 business associates including bill collection companies practice management firms and medical transcription services accounted for nearly 40 or 275 of the 734 major breaches reported to HHS ppThose incidents affected nearly 903 million people or about twothirds of the 1353 million individuals who were victims see How 2023 Broke LongRunning Records for Health Data BreachesppThe largest of those incidents was reported by medical transcription services firm Perry Johnson Associates and the breach has affected several large healthcare entity clients and about 14 million people so far PJA initially reported the incident in November to HHS as having affected nearly 9 million individuals But in recent months and weeks several subsequent breaches involving the hack and affecting additional PJA clients and millions of their patients have been reported to regulators see Therapy Provider Notifying 4 Million Patients of PJA HackppHealthcare organizations should talk about these recent incidents with their vendors and thirdparty providers and inquire about the controls and options they have in place said Dustin Hutchison vice president of services and CISO at security consulting firm PonduranceppThe threat landscape and vulnerabilities are constantly changing so an ongoing examination of how to improve to better serve patients is important he said Vendors and business associates that provide critical services are targets for attacks because they handle large volumes of data so the expectations of controls and the ability to demonstrate those controls should be higher ppOrganizations are going to have different requirements but establishing a strong program baseline for all of their clients should be the norm Being able to demonstrate an aggressive vulnerability management program with appropriate access controls auditing and proactive detection and response goes a long wayppEven smaller medical practices should not be at the mercy of their thirdparty providers when it comes to security and compliance especially when they have other options in the market according to HutchisonppPractices of any size should focus on ensuring the security controls they need are available prior to purchase by having the conversation with the vendor and including those requirements in the contract he said Vendors that focus on smaller practices should have a clear understanding of and stance on shared responsibility and why their solution is appropriate for the practice he added ppMedical practices should focus on understanding thirdparty risks by establishing their risk tolerance based on regulatory requirements and necessary security controls to protect their data and environments The best time to ensure a vendor meets security and compliance requirements is prior to purchase by reviewing the vendors processes and controls available and alignment with the practice expectations and needsppExecutive Editor HealthcareInfoSecurity ISMGppMcGee is executive editor of Information Security Media Groups HealthcareInfoSecuritycom media site She has about 30 years of IT journalism experience with a focus on healthcare information technology issues for more than 15 years Before joining ISMG in 2012 she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeeks healthcare IT media sitepp
ppCovering topics in risk management compliance fraud and information securityppBy submitting this form you agree to our Privacy GDPR StatementppwhitepaperppwhitepaperppwhitepaperppEndpoint SecurityppCyberwarfare NationState AttacksppCybercrimeppData Masking Information ArchivingppCybercrimeppContinue pp
90 minutes  Premium OnDemand 
ppOverviewppFrom heightened risks to increased regulations senior leaders at all levels are pressured to
improve their organizations risk management capabilities But no one is showing them how
until nowppLearn the fundamentals of developing a risk management program from the man who wrote the book
on the topic Ron Ross computer scientist for the National Institute of Standards and
Technology In an exclusive presentation Ross lead author of NIST Special Publication 80037
the bible of risk assessment and management will share his unique insights on how toppSr Computer Scientist Information Security Researcher
National Institute of Standards and Technology NISTppWas added to your briefcaseppHack at Services Firm Hits 24 Million Eye Doctor PatientsppHack at Services Firm Hits 24 Million Eye Doctor Patientspp
Just to prove you are a human please solve the equation

ppSign in now ppNeed help registering
Contact support
ppComplete your profile and stay up to dateppContact Support ppCreate an ISMG account now ppCreate an ISMG account now ppNeed help registering
Contact support
ppSign in now ppNeed help registering
Contact support
ppSign in now ppOur website uses cookies Cookies enable us to provide the best experience possible and help us understand how visitors use our website By browsing bankinfosecuritycom you agree to our use of cookiesp