Iowa-based Wolfe Eye Clinic has issued a breach notification to the Department of Health and Human Services’ (HHS) Office for Civil Rights reporting a data breach affecting 542,776 individuals. According to a notice published to the clinic website, cybercriminals had gained access to sensitive personal information of some of its patients by hacking Wolfe’s electronic medical records platform “myCare Integrity”, which was provided by Eye Care Leaders (ECL), a practice performance company.The cyberattack has impacted several eye care practices nationwide. Since ECL have started information organizations of the incident, over two dozen organizations have sent individual breach notifications to the OCR. The announcement of Wolfe Eye Clinic’s breach amounts the overall number of affected individuals to over 2.5 million.
The breach is said to have taken place on December 4, 2021, when an unauthorized third party had gained access to myCare Integrity data and erased data bases and system configuration files. Upon discovery, ECL’s incident response team immediately stopped the unauthorized access and launched a forensic investigation to determine the nature and extent of the attack. ECL maintains that there is no evidence to indicate any unauthorized access to any of Wolfe Clinic’s medical information. However, there is still a possibility that the threat actors may have had access to some protected health information and personally identifiable information. This includes information regarding patient names, addresses, birth dates, Social Security numbers, diagnostic information, and health insurance information. Wolfe maintains that they have not been informed of any identity theft incidents related to the attack.
The clinic maintains that the protection and security of patient information is their utmost priority. Wolfe Clinic has said they will implement a number of further safeguards and update their policies and procedures to limit the risk of further attacks. “Wolfe sincerely regrets any inconvenience or concern that this matter may cause and remains dedicated to ensuring the privacy and security of all information in our control.”