In July 2023, the LockBit ransomware group listed Panorama Eyecare on its data leak website and noted to have stolen 798 GB of files from the doctor-led management services provider based in Fort Collins, CO. The ransomware group professed to have gotten information from its clients, which include Denver Eye Surgeons, Eye Center of Northern Colorado, 2020 Vision Center, and Cheyenne Eye Clinic & Surgery Center.
Panorama Eyecare reported the attack one year after the attack was initially discovered. Based on the breach notification submitted to the Maine Attorney General, the attack was discovered on June 3, 2023. The letters mention that based on the forensic investigation results, an unauthorized person got access to its system from May 22, 2023, to June 4, 2023, and potentially accessed and exfiltrated selected files from the system.
The cause of the delay in sending breach notification letters was the detailed analysis of the compromised files which was finished on May 9, 2024. Based on the review, the following protected health information was compromised: names, birth dates, state IDs/driver’s license numbers, Social Security numbers, financial account data, names of medical provider, and dates of service.
Panorama Eyecare stated external cybersecurity specialists were involved in securing its network and investigating the incident. After securing all systems and networks, further measures were implemented to stop other incidents of the same type in the future. Cybersecurity steps and procedures are constantly reviewed and altered to improve the security and confidentiality of patient data.
Based on Panorama Eyecare’s site notice, Panorama has no proof that any of the breached data was exploited for identity theft. The notification doesn’t say that the company is providing credit monitoring and identity theft protection services for free. However, the Maine Attorney General’s site indicates that the services are being given at no cost for one year, at least to residents of Maine. Impacted persons should absolutely make the most of those services.
The breach report submitted to the Maine Attorney General shows that the data of 377,911 persons was potentially exposed in the attack. The HHS’ Office for Civil Rights breach website has not posted the number of individuals impacted by the breach as of this writing. OCR stated that verification of breach reports usually take two weeks after receipt before they are listed on the breach portal.