It has been reported that the protected health information of hundreds of thousands of Americans has been exposed in two separate security incidents at eye-care providers in the United States. Simon Eye Management reported a data breach to the Department of Health and Human Services’ Office for Civil Rights on September 14. An email hacking incident at the Delaware-based eye-care group exposed the data of 144,000 individuals. According to a notice issued by Simon Eye, suspicious activity ‘related to certain employee email accounts’ was observed on or about June 8. An investigation carried out with the help of third-party computer forensic specialists found that unauthorised access to some employee email accounts had occurred from May 12, 2021, to May 18, 2021.
Trevor J. Morgan of comforte AG, commented: “The data breaches involving two eye-care providers in the US, Simon Eye Management and USV Optical, collectively exposed tens of thousands of data subjects’ PHI, PII, and/or other sensitive information. These incidents continue a disturbing trend in attacks against healthcare and personal care organisations, which collect and archive an enormous amount of this highly private data from their customers. These industries need to accept the fact that they will continue to be high-value targets, so they need to enact defensive measures commensurate with that ever-present threat. Data-centric security such as tokenisation and format-preserving encryption can mitigate the fallout of data breaches like these — by replacing sensitive data elements with innocuous representational tokens, these methods protect the data itself rather than the perimeters around that data. If threat actors get their hands on it, they can’t do anything with it because no sensitive information actually is revealed. Companies need to see the situation clearly and bring the right solution into focus.”