The University of Houston College of Optometry has learned that an unauthorized person from beyond the United States got access to an affiliated eye clinic’s systems and stole files from the clinic’s database.
The UH College of Optometry manages the Community Eye Clinic in Fort Worth, TX. The security team found out about the attack on September 13, 2021, one day following the occurrence of the breach. The IT security team immediately secured the system, put in place extra defensive safety procedures to better protect patient data, and improved its monitoring and alerts. The security group additionally checked the clinic’s IT regulations and processes to ensure that industry-standard practices are carried out.
The attacker acquired files connected with patients who received services from the Community Eye Clinic in the period between May 22, 2013, and September 13, 2021. The records in the database contained names, dates of birth, contact information, government ID numbers, health insurance details, Social Security numbers, driver’s license numbers, passport numbers, diagnosis and treatment information. The clinic does not keep any financial information in the database. Also, the attack didn’t affect the network systems of the College of Optometry or the University of Houston.
The 18,500 persons whose data were exposed had been told to monitor their accounts and explanation of benefits statements in case of fraudulent transactions, to evaluate their credit reports, and to have a security fraud alert setup on their credit reports.
Valley Mountain Regional Center Phishing Attack Impacts 17,197 Patients
Valley Mountain Regional Center (VMRC) in Stockton, CA had notified 17,197 patients about the authorized access to a number of their protected health information (PHI) kept in compromised email accounts.
VMRC discovered on September 15, 2021 that there were phishing emails in its inboxes. All the emails from the inboxes had been removed; however, the subsequent investigation of the phishing attack confirmed that there were 14 employees who clicked on the links and disclosed their credentials. Therefore, the attackers got access to their email accounts.
A complete review of the contents of the affected inboxes confirmed they contained names, birth dates, addresses, state-provided client ID numbers, telephone numbers, e-mail addresses, diagnoses, prescription medications, dates of service and additional unique identifiers.
VMRC stated that it did not find any proof that indicates the attacker viewed, acquired or misused any information in the email accounts; nonetheless, impacted persons were directed to keep an eye on their accounts and credit reports for odd transactions.