NOTICE OF POTENTIAL BREACH OF PROTECTED HEALTH INFORMATION
On March 1, 2022, Northern Eye Care Associates, P.C. (“NECA”) became aware of a potential breach of protected health information (“PHI”) from our electronic health records contractor and Business Associate, Eye Care Leaders (“ECL”), based on a cyber security incident involving ECL’s databases hosted on Amazon Web Services (“AWS”) on or around December 4, 2021. We are providing this notice so any potentially affected individuals can take swift personal action to reduce or eliminate potential harm. The incident investigation is not fully complete at this time based on the most recent update we received on April 19, 2022. However, ECL’s forensics team did not find any evidence that PHI was acquired or exfiltrated but cannot definitively rule out that possibility. As a result, all NECA patients should review this notice and take appropriate action to protect themselves.
Summary of the Incident
On or around December 4, 2021, attacker(s) accessed the ECL myCare Integrity cloud based back-end hosted on AWS and deleted databases and system configuration files. The activity was detected in less than twenty-four (24) hours and ECL’s incident response team contained and began investigating the incident immediately upon discovering it. Shortly after stopping the attack, ECL also began efforts to restore deleted files and databases from backups to limit impact to the availability of PHI. ECL identified and restored available backups for many of the deleted databases. However, there remain some databases that have not been restored. Work is ongoing to determine whether these remaining, unrestored databases can or need to be restored. NECA’s complete electronic health records for all its patients were hosted with ECL. Because of the nature of the cyberattack, ECL has not discovered any evidence to limit the impact to a subset of specific patients or data, which is why we are providing this notice. While the electronic container in which PHI databases are stored by ECL is encrypted, the database tables themselves are not encrypted at rest.
The forensic investigation into the attack was unable to identify a root cause. The evidence indicates that the attacker accessed the Integrity AWS environment and executed several “delete” commands on December 4, 2021, between 7:18 PM ET and 7:29 PM ET, followed by a break, then another “delete” event occurred at approximately 10:13 PM ET. The attacker also executed several “discover” commands. No other command actions were evidenced during the attack timeframe. Due to both the actions taken by the attacker and the ECL team’s prompt response in disabling the attacked instance and restoring backups, log evidence of the incident is limited. As previously stated, ECL’s forensics team did not find any evidence that PHI was acquired or exfiltrated but cannot definitively rule out that possibility. However, NECA has not found any evidence in our own investigation of any missing or deleted patient PHI. However, out of an abundance of caution, we are providing this notice and will provide any additional relevant updates, if they arise, as the ongoing investigation continues.
It is not required, however, as a precaution we recommend the following steps be taken by anyone who may potentially be affected to protect themselves from any potential information breach harm, including, but not limited to:
Register a fraud alert and order a credit report with one or both of the credit bureaus listed below:
- Experian: (888) 397-3742; www.experian.com; PO Box 9532, Allen, TX 75013
- Equifax: (800)525-6285; www.equifax.com; PO 740241, Atlanta, GA 30374-0241
Monitor your account statements, insurance explanation of benefits (“EOBs”), and credit bureau reports closely and be vigilant for any fraudulent activity.
NECA is communicating and coordinating with ECL regarding the following steps ECL is taking to protect patients’ PHI from possible harm or similar circumstances:
- Initiating a forensics security investigation;
- Updating and changing additional security features in the myCare Integrity environment;
- Reviewing and updating access controls and permissions;
- Reviewing and updating data storage security procedures;
- Strengthening network protections;
- Improving server patching and data backup processes;
- Onboarding additional internal and third-party technical resources and monitoring personnel;
- Continuing to review system security and implement additional improvements as the investigation progresses.
NECA sincerely apologizes for the inconvenience and concern ECL’s incident may cause. NECA currently has and has had numerous information and privacy operational protections in place, as patient information privacy is very important to us. We will continue to work with ECL to do everything we can to address this situation and fortify their operational protections for our patients while maintaining and performing any improvements to our operations protecting your information.
Frequently Asked Questions
Q: Was any of my PHI copied or lost in this attack?
Because of the nature of the attack and limited log evidence, there is no means to limit the scope of the data that may have been accessed. There is no evidence that has been uncovered by either ECL or NECA that any NECA patient PHI was acquired, exfiltrated or deleted. However, because some of the log files were deleted in the attack, the possibility cannot be ruled out completely.
Q: Is any of my personal financial data kept on the database that was attacked?
No. NECA does not keep sensitive financial information, such as bank account or credit card information, in an ECL database. All that information is retained and secured locally within the NECA offices.
Q: Was law enforcement notified about this attack?
Yes. Both local authorities and the FBI were notified about this attack and are continuing their criminal investigations.
Q: Has the U.S. Department of Health and Human Services been notified?
Yes. NECA has filed the requisite breach report with the U.S. Department of Health and Human Services – Office of Civil Rights.
You may contact us with questions and concerns in the following ways: 1) by calling our toll free number at (833) 211-0111 between the hours of 9:00 a.m. and 5:00 p.m., Monday to Friday; 2) sending an e-mail message to firstname.lastname@example.org and please include HIPAA breach in the subject line so we can give immediate attention to your inquiry; or 3) addressing a letter to our postal address, Northern Eye Care Associates, P.C., 200 Fairbanks Street, Iron Mountain, MI 49801.