Holland (Mich.) Eye Surgery and Laser Center recently mailed notification letters to patients affected by a 2016 hacking incident, according to databreaches.net.
Here are seven insights.
1. On May 18, Holland Eye issued a statement on the breach to the Holland Sentinel and the incident appeared on HHS' Office for Civil Rights data breach reporting portal.
2. According to the statement, Holland Eye was able to confirm the breach March 28. Holland Eye said an "unauthorized individual accessed the list in June 2016 but concealed the extent of his or her access until" emailing the center March 19, 2018.
3. The hacker accessed a patient list that included patient names, addresses, birthdays, demographic information, health insurance information and Social Security numbers.
4. A hacker called Lifelock contacted databreaches.net and claimed responsibility for the breach. Lifelock claims to have demanded $10,000.00 from Holland Eye to help the organization secure its patients' data.
The hacker allegedly reached out to the clinic over 30 times over two years while selling more than 200 patients' information on AlphaBay and TradeRoute.
5. The OCR portal shows 42,200 patients were affected.
According to databreaches.net, Lifelock shared two date-stamped .csv files he stole from the network. One contained 42,229 records, and the other contained an additional 202,163 records.
6. The law requires entities to notify OCR within 60 days of detecting a data breach.
7. Holland Eye Surgery and Laser Center did not respond to Becker's ASC Review's request for comment.