Compromise of employee mailboxes may have exposed sensitive medical data

Simon Eye, a US chain of optometry clinics, has reported a data breach potentially impacting more than 144,000 individuals.

The possible compromise of sensitive personal data arose from unauthorized access to employee email accounts over a seven-day period between May 12-18, 2021, according to a data breach notice on the Simon Eye website.

Simon Eye said the attackers “attempted to engage in wire transfer and invoice manipulation attacks against the company, none of which were successful”.


Catch up with the latest email security news


However, a review of the breached mailboxes’ contents revealed that patients’ names, medical histories, treatment and diagnosis information, health insurance policy and/or subscriber information, and insurance application and/or claims information may have been exposed.

A subset of individuals may have also had their Social Security numbers, dates of birth, and/or financial account information exposed.

“Importantly, to date, we have no evidence of any misuse of any data as a result of this incident,” said Simon Eye.

Incident response

The eyecare provider, which has 10 clinics around Delaware, said it first became aware of suspicious activity on internal email accounts “on or about June 8”.

Simone Eye said it “immediately reset user passwords, implemented additional data security protocols and commenced an investigation to confirm the nature and scope of the incident”.

It added: “We will continue to evaluate and implement additional safeguards. We are also reporting this incident to relevant state and federal regulators.”


INSIGHT Manufacturing industry must limit internal data access to prevent sensitive leaks – report


The company said it would notify potentially affected individuals upon completion of a review of the potentially compromised data.

Potential victims have been advised to monitor their financial accounts, consider setting up fraud alerts or credit freezes with a credit reporting bureau, and call a helpline if they have any questions.

According to the US Department of Health and Human Services’ breach portal, Simon Eye has reported that the incident may have affected 144,373 individuals.

Simon Eye declined to comment further in response to a query from The Daily Swig.


YOU MIGHT ALSO LIKE US policy change states healthcare apps must follow data breach notification rules