Nearly 400,000 affected by data breach at eye care management services company

Nearly 400,000 people had sensitive healthcare information stolen by hackers during a 2023 cyberattack on a company that supports eye clinics. 

Colorado-based Panorama Eyecare told regulators in Maine and Massachusetts that 377,911 current and former patients and employees had data stolen — including names, Social Security numbers, dates of birth, license numbers, financial account information, dates of service and medical provider names. 

Panorama Eyecare owns or provides services to dozens of optometry or ophthalmology offices in the Rocky Mountain region. Its systems manage IT departments, HR, payroll, marketing and capital improvements for equipment and facilities. 

Attacks on third-party service providers have been a thorn in the healthcare industry’s side recently. Administrative services provider WebTPA revealed recently that an incident last year potentially affected 2.4 million people. This week, a cyberattack on pathology services company Synnovis resulted in the suspension of operations at London hospitals.

Panorama Eyecare said it first discovered the attack on June 3, 2023 and an investigation revealed the hackers had access to the company’s network as far back as May 22. The company claimed its investigation into the incident concluded nearly a year later, on May 9, and revealed the hackers “may have accessed and removed certain files” from their network. 

Victims are being given two years of free identity protection services. 

The company did not respond to requests for comment about whether it was hit with a ransomware attack. DataBreaches.net reported last July that the now-defunct LockBit ransomware gang claimed the attack on Panorama Eyecare and said it stole 798 gigabytes of data. 

During a cybersecurity conference yesterday, FBI Cyber Assistant Director Bryan Vorndran said the operation to take down the LockBit ransomware gang allowed law enforcement agencies to obtain the decryption keys for more than 7,000 victims, and he urged attacked organizations to reach out in order to get their encrypted data back. 

According to the FBI, the healthcare and public health sector was the most common ransomware target of any critical infrastructure sector in 2023.

In the wake of a ransomware attack on Change Healthcare, a pivotal U.S. company that handles pharmaceutical operations, Senate Finance Committee Chair Ron Wyden (D-Ore.) published a letter on Wednesday urging the Department of Health and Human Services (HHS) to immediately mandate systemically important health care companies to improve their cybersecurity practices.

“The current epidemic of successful cyberattacks against the healthcare sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security,” Wyden said. 

“The agency’s current approach of allowing the health sector to self-regulate cybersecurity is insufficient and fails to protect personal health information as intended by Congress. HHS must act now to address corporations’ lax cybersecurity practices, which have enabled hackers to steal patient health information and shut down parts of the healthcare system, causing actual harm to patient health.”