Hacking Incidents Lead to 2 Big Eye Care Provider BreachesOne Incident Involved Foiled Attempt at Invoice and Wire Transfer Fraud
Two eye care entities - Simon Eye Management and U.S. Vision - are among the latest healthcare provider organizations recently reporting hacking breaches each affecting tens of thousands of individuals. One of the incidents involved a foiled wire transfer fraud attempt.
Delaware-based Simon Eye Management, a chain of clinics that provide eye exams, eyeglasses and surgical evaluations, reported on Sept. 14 to the Department of Health and Human Services' Office for Civil Rights a hacking incident involving email, affecting more than 144,000 individuals, according to the HHS HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
The entity's data security incident notification indicates that the breach involved an unauthorized third party accessing certain employee email accounts from May 12 to May 18, and attempting to engage in wire transfer and invoice manipulation attacks against the company.
Simon Eye says information that may have been compromised by the incident includes individuals’ name, medical history, treatment or diagnosis information, health information, health insurance information and - for a smaller number of individuals - potentially their Social Security number, date of birth and/or financial account information. To date, the entity has no evidence of any misuse of any data as a result of this incident, the notification says.
New Jersey-based USV Optical Inc. - a subsidiary of U.S.Vision on Sept. 3 reported to HHS' Office for Civil Rights a hacking IT incident involving a network server and affecting 180,000 individuals.
U.S.Vision in a data breach notification statement says the incident involved unauthorized access to certain servers and systems between April 20 and May 17. While the investigation is still ongoing, investigators have determined that records related to certain customers and employees may have been viewed and/or taken by an unauthorized individual as a result of this incident.
Information potentially compromised in the incident includes individuals’ name, eye care insurance information and - for some - their address, date of birth and/or other individual identifiers. U.S.Vision says that so far it has no evidence of any identity theft or fraud occurring as a result of this incident.
Neither Simon Eye Management nor U.S.Vision immediately responded to Information Security Media Group's request for comment on its incident.
"The big takeaway is that no healthcare organization is immune to cyberattacks and that these attacks continue to increase in volume and sophistication," says Jon Moore, chief risk officer at privacy and security consultancy Clearwater. "While ransomware attacks have a lot of the headlines, other methods of attack like business email compromise are very common. Email systems and the workforce continue to be weak points that attackers exploit," he notes.
Kate Borten, president of privacy and consulting firm The Marblehead Group, says the attempted wire transfer fraud incident at Simon Eye should serve as an important reminder to other organizations.
"This type of incident should prompt organizations to review their workforce training on phishing," she says. "If awareness and training aren't happening often, content has gotten stale, or the workforce has become blasé about the risks, it's time to revamp your program."
Michael Hamilton, CISO at security firm Critical Insight and former CISO of the city of Seattle, says that from context of Simon Eye's notification statement, the incident "appears to be a case of a compromised internal email account that was being used to send messages asking for ‘emergency’ wire transfers or other financial transactions."
Detection of a compromised account depends on the extent to which the network events are being monitored and investigated, he says. "For example, a login from a source that has never been observed - such as from another geographic region - creates an alert that should be received and addressed," he says.
The other mechanism is through reporting by the recipient of a suspicious message, which is likely how Simon Eye detected the unauthorized activity, Hamilton says.
Clearwater's Moore says that he also recommends organizations specifically train accounts payable employees on how to detect potential business email compromises and email account attacks.
"Organizations should have defined processes for handling payments and financial transactions that include controls like multifactor authentication for account access, tiered approvals, segregation of duties and confirmation procedures," he says.
"When there is an unexpected request or change in payment information, we recommend that an organization verify payment and purchase requests in person or by phone," he adds.
Other Incidents Involving Eye Care Entities
In May, 20/20 Eye Care and Hearing Care Network, a Florida-based vision and hearing benefits administrator, reported to state and federal regulators that nearly 3.3 million individuals' personal and health information contained in an Amazon Web Services cloud storage bucket had been accessed or downloaded - and then deleted - by an "unknown" actor in January (see: Health Data for Millions Deleted from Cloud Bucket).
That incident is the second largest health data breach posted on the HHS OCR website so far this year.
In March, Cochise Eye and Laser, based in Sierra Vista, Arizona, reported to HHS OCR that a February ransomware incident affected the protected health information of about 100,000 individuals.
At least a half-dozen other large health data breaches involving eye care and vision entities have been reported to HHS OCR so far in 2021.
Several hacking incidents involving eye care providers also topped the HHS OCR health data breach tally in 2020.
For instance, EyeMed Vision Care LLC in September 2020 reported to HHS OCR a hacking incident affecting nearly 1.5 million individuals.
Also in 2020, a U.S. unit of Italian-based eyewear maker and eye care center conglomerate Luxottica reported a hacking breach affecting over 829,000 individuals.
Hamilton notes that specialty healthcare organizations - especially smaller entities - are often appealing and vulnerable targets for hackers.
"In general, smaller organizations do not make the investments in security that are commensurate with the threats they face, and this disconnect makes them low-hanging fruit," he says.
Hamilton notes that his firm's analysis of healthcare records breaches for the first half of 2021 indicates that "threat actors are intentionally moving down-market to … clinics and specialty care organizations."