Eye Care Practice: Vendor Paid Ransom for Return of Data

February 19, 2021 – Article posted on HealthcareInfoSecurity

A California-based eye care provider – which also handles billing and other administrative services for a separate local surgery practice – says its online storage vendor was recently hit by hackers and paid a ransom for the return of patient data stolen from both entities.

In a statement, Harvard Eye Associates says its unnamed storage vendor – “after consulting with cybersecurity experts and the FBI” – decided to pay the hackers in exchange for returning the data pertaining to both its practice and Alicia Surgery Center, both based in Laguna Hills, California.

Harvard Eye Associates provides billing and other administrative services for Alicia Surgery Center, both entities note in their breach notification statements. “Harvard Eye uses some of our patient information in order to provide services,” Alicia Surgery Centers says.

The statements do not specify whether the vendor incident involved ransomware.

Neither Harvard Eye Associates nor Alicia Surgery Center immediately responded to Information Security Media Group’s request for additional details, such as the name of the vendor involved….

…Some security experts question whether the breach of the storage vendor affected other clients.

“Without knowing the intricacies of the breach, it’s easy to say that it’s possible that there could have been a larger breach,” says Tony Cook, head of threat intelligence at GuidePoint Security.

“What we find more often than not is that the security controls on individual storage vendors … were not properly configured,” he says. “These types of improper security controls can quickly lead to unauthorized access to the data stored.”

Read more HERE.