Precision Eye Care, Ltd. Confirms Third-Party Data Breach Following Data Security Incident at Eye Care Leaders | Console and Associates, PC

ByMartha R. Camara

Jun 21, 2022

Recently, Precision Eye Care, Ltd. reported that this is the latest in a long list of eye care practices affected by the Eye Care Leaders data breach. According to a notice posted on the Precision Eye Care website, the breach resulted in certain names, addresses, dates of birth, Social security numbers, diagnostic information and health insurance information disclosed. On June 10, 2022, Precision Eye Care filed a formal notice of breach and began sending data breach notification letters to affected patients. According to the company’s most recent estimates, 58,462 patients were affected by the Precision Eye Care breach.

If you have received a data breach notification, it is essential that you understand what is at risk and what you can do about it. To learn more about how to protect yourself from fraud or identity theft and what legal options are available to you following the Precision Eye Care data breach, please see our recent article on the topic. here.

How Did the Precision Eye Care Data Breach Occur?

The Precision Eye Care breach was the result of a data breach at one of the company’s third-party vendors. Clearly, Precision Eye Care relied on the services provided by Eye Care Leaders to help maintain the practice’s electronic health records. As a result, Eye Care Leaders was in possession of sensitive data belonging to Precision Eye Care Patients.

According to statements made by Precisions Eye Care and Eye Care Leaders, around December 4, 2021, an unauthorized party gained access to the Eye Care Leaders network. At this point, Eye Care Leaders secured their systems and began investigating the incident. Company investigation confirmed unauthorized access; however, the lack of available forensic evidence prevented eye care officials from ruling out the possibility that certain protected health information and personally identifiable information was accessed by the bad actor carrying out the cyberattack.

Based on information provided by Eye Care Leaders, Precision Eye Care has reviewed all affected files. Although the information disclosed will vary depending on the person, it may include your name, address, date of birth, social security number, diagnostic information, and health insurance information.

On June 10, 2022, Precision Eye Care sent data breach letters to 58,462 patients whose information was compromised as a result of the recent incident.

Precision Eye Care, Ltd. is an eye care provider and eye surgery practice based in Farmington, Missouri. Precision Eye Care provides diagnostic, treatment and surgical services to patients in Southeast Missouri. Some of the services provided by Precision Eye Care include cataract surgery, glaucoma treatment, macular degeneration, and corrective eyelid surgery. Precision Eye Care was founded in 1986 and employs approximately 30 doctors, surgeons and administrative staff.

The most recent violation resulting from the incident at Eye Care Leaders

At this point, those following data breach news are likely familiar with the Eye Care Leaders breach. Precision Eye Care is one of several eye care and ophthalmology practices that experienced compromised patient information as a result of the Eye Care Leaders breach. In fact, after including the 58,462 patients affected by the Precision breach, the total number of patients affected by the Eye Care Leaders data breach approaches 2 million.

HIPAA Journal recently compiled a list of all practices reporting third-party data breaches following the Eye Care Leader breach, summarized below:

  • Precision eye care – 58,462 patients

  • Texas Tech University Health Science Center – 1,290,104 patients

  • Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown in West Virginia – 194,035 patients

  • Precision Eye Care in Missouri – 58,462 patients

  • Shoreline Eye Group in Connecticut – 57,047 patients

  • Summit Eye Associates in Tennessee – 53,818 patients

  • AU Health in Georgia – 50,631 patients

  • Finkelstein Eye Associates in Illinois – 48,587 patients

  • Moyes Eye Center, PC in Missouri – 38,000 patients

  • McCoy Vision Center in Alabama – 33,930 patients

  • Frank Eye Center in Kansas – 26,333 patients

  • Lori A. Harkins MD, PC dba Harkins Eye Clinic in Nebraska – 23,993 patients

  • Allied Eye Physicians & Surgeons in Ohio – 20,651 patients

  • EvergreenHealth in Washington – 20,533 patients

  • Sylvester Eye Care in Oklahoma – 19,377 patients

  • Arkfeld, Parson and Goldstein, dba Ilumin in Nebraska – 14,984 patients

  • Associated Ophthalmologists of Kansas City, PC in Missouri – 13,461 patients

  • Northern Eye Care Associates in Michigan – 8,000 patients

  • Ad Astra Eye in Arkansas – 3,684 patients

  • Fishman Vision in California – 2,646 patients

  • Burman & Zuckerbrod Ophthalmology Associates, PC in Michigan – 1,337 patients

Given the scale of the Eye Care Leaders breach, the question arises as to which companies are responsible for a third-party data breach. Under US data breach laws, all organizations in possession of consumer data have an obligation to protect the information in their possession. This includes organizations that receive consumer information directly, such as Precision Eye Care, as well as third-party vendors such as Eye Care Leaders.

Notably, there is no evidence that Precision Eye Care was negligent in the way it handled patient data. However, this does not necessarily mean that the practice is exempt from liability. Based on the outcome of the investigation, it is possible that Precision Eye Care was negligent in handing over patient information to eye care officials. For example, this may be the case if Precision Eye Care knew or had reason to believe that Eye Care Leaders’ servers were insecure or that the company had a history of data security issues. Of course, Eye Care Leaders can also be held liable for the breach, provided evidence emerges that suggests the company was negligent in the way it handled consumer data.

Organizations and their data security systems are the first line of defense against cyberattacks. Organizations that choose not to maintain robust data security systems do so at great risk to consumer privacy and should be held accountable for their misplaced priorities.