PHI Incidents at Northwest Eye Surgeons and Sight Partners, DJO, LLC and Lawrence General Hospital

Server Breach Impacts Patients of Northwest Eye Surgeons and Sight Partners

Northwest Eye Surgeons LLC and Sight Partners LLC began informing 20,838 patients regarding the unauthorized access of some of their protected health information (PHI) stored on a server.

OnMay 1, 2020, the breach was discovered and the providers investigated the breach immediately to know its magnitude and scope. A third-party cybersecurity company assisted with the investigation. On July 31, 2020, the evaluation of the impacted server was finished. On August 7, 2020, another IT company worked on identifying all PHI kept on the server to find out which patients were impacted.

The evaluation showed that the server stored information that includes patients’ names, birth dates, Social Security numbers, ID numbers, driver’s license numbers, credit card and financial account details, medical data and insurance details.

There is no proof found that suggest exfiltration or misuse of patient data. But as a safety precaution, impacted patients were given free credit monitoring, identity theft protection, and dark web monitoring services membership for two years via Equifax Credit Watch Gold.

3,429 Users of DJO Mobility Products Affected by Email Breach

Medical technologies provider DJO, LLC based in a Lewisville, TX provider is notifying 3,429 patients regarding the potential access of some of their PHI by an unauthorized person during a phishing attack that occurred at a past independent supplier.

An email account of an All Pro Sports employee was compromised. The attacker accessed the email account and used it to distribute phishing emails to the people included in the email account contact list. An evaluation of the email account showed it enclosed minimal data associated with users of DJO goods in central Florida. The compromised data included names, email addresses, addresses, birth dates, doctor names, product data, information associated with the product prescription, and the Medicare numbers of some people.

All Pro Sports discovered the email breach on August 17, 2020 and took steps immediately to protect the account. DJO performed a comprehensive investigation of the breach immediately, got a top IT forensics firm to investigate and affirmed that the phishing attack did not affect any other system or information. Impacted patients already received breach notification in October.

Data Security Breach at Lawrence General Hospital

Lawrence General Hospital based in Massachusetts submitted a report of a data security breach in which unauthorized people possibly got access to a limited amount of patient data. A security breach was identified on September 19, 2020 which interrupted its IT networks. The investigation showed that an unauthorized person accessed its systems between September 9, 2020 and September 19 when the system was protected.

The breached systems stored patient names, insurance type, internal patient ID numbers, internal visit ID numbers and, certain clinical data for some patients, . The Social Security numbers owned by 5 patients were similarly possibly compromised.

On November 5, 2020, Lawrence General Hospital already delivered breach notifications to impacted persons. Lawrence General Hospital furthermore said it is improving its intrusion detection systems as instigated by the breach.