Cochise Eye and Laser, an ophthalmology and optometry company located in Sierra Vista, AZ, had a ransomware attack on January 13, 2021 and saw the encryption of its patient booking and billing application.
Due to the attack, Cochise Eye and Laser wasn’t able to access any data in its booking application. Nevertheless, the provider did not stop providing eye care services to its patients, although making use of paper charts. As per a breach notice posted on its webpage on February 17, 2021, the provider still utilizes paper charts since the booking system is not yet functional.
The investigators of the breach didn’t come across any proof of patient data exfiltration prior to file encryption; nevertheless, it’s not possible to ensure 100% data theft. The attackers probably got access to these types of information: names, telephone numbers, addresses, birth dates, and Social Security numbers for a number of individuals.
After the ransomware attack, Cochise Eye and Laser improved systems security and used a modern offsite backup system. Recovery of the encrypted data is still ongoing. The provider will continue to use patient charts to reestablish its schedules.
The provider has submitted the report about the ransomware attack to the HHS’ Office for Civil Rights. The incident affected about 100,000 patients.
Insider Privacy Breach at Petersburg Medical Center
Petersburg Medical Center in Alaska learned that a staff accessed some patients’ healthcare records with no permission nor legal work reason.
The instant the center learned about the unauthorized access, it started an internal investigation. The investigator’s report state that there were no further disclosures of data nor exfiltration of patient data from the provider.
Following the breach, the medical center had taken steps to make sure the employee won’t be able to access any patient information now or ever. It is unclear whether the employee was terminated from work. The medical center since then took steps to prevent other privacy violations and already sent by mail the notification letters to the persons affected by the breach.