Mid Atlantic Retina patients' sensitive information was compromised in a data breach linked to ConnectOnCall, a vendor managing after-hours calls for healthcare providers. The breach exposed patient data from February to May 2024 before it was detected.
Mid Atlantic Retina, operating as WillsEye Physicians, recently issued a notice on its website informing patients of a data breach that may have compromised their sensitive information. The breach was traced back to ConnectOnCall.com, a healthcare business services provider responsible for managing after-hours phone calls for healthcare providers, including Mid Atlantic Retina.
According to the notice, an unauthorized party accessed files containing patient data, including names, phone numbers, dates of birth, medical record numbers, and medical histories. Upon concluding its investigation, Mid Atlantic Retina began sending out data breach notification letters to affected individuals.
The breach was initially discovered by ConnectOnCall on May 12, 2024, when it identified unauthorized activity within its systems. The company took immediate steps to secure its network and launched an investigation to determine the extent of the breach. Findings revealed that an unauthorized party had access to its network between February 16, 2024, and May 12, 2024. Ultimately, patient data remained exposed for nearly three months before detection.
Following this discovery, ConnectOnCall reviewed the compromised files to determine which consumers were affected and the specific information that had been accessed. In response, the company sent out notification letters to impacted individuals, detailing what information was compromised.
Mid Atlantic Retina acknowledged the breach, stating, "One of our vendors, ConnectOnCall.com, experienced an incident that impacted a small subset of our patients." The company clarified that ConnectOnCall is used to handle after-hours patient calls and also began notifying affected individuals on December 11, 2024.
According to Mid Atlantic Retina, “ConnectOnCall engaged external cybersecurity specialists to determine the full nature and scope of the incident, identify any involved information, and help them enhance their security controls to mitigate the risk of future security incidents.” They also stated that after discovering the data breach, they took the ConnectOnCall product offline and have been working through a phased restoration of the product in a new, more secure environment. ConnectOnCall also notified federal law enforcement of the incident.
“You should always remain vigilant and review statements you receive from your healthcare provider. If you see charges for services you did not receive, please contact the provider immediately,” they advised patients.
See also: HIPAA Compliant Email: The Definitive Guide
The breach is an indication that healthcare organizations are still lagging behind cybercriminals in terms of protecting patient data. This raises concerns about whether healthcare providers and their vendors are investing enough in robust cybersecurity measures. Under HIPAA, healthcare entities must implement safeguards to protect patient data, yet incidents like this stress the vulnerabilities in third-party service providers and the effort needed by both parties to safeguard sensitive information.
Read also: Who is responsible for a data breach?
The time it takes to detect a data breach varies. Some breaches are discovered quickly, while others may remain undetected for weeks or months. Early detection is crucial to minimizing the damage and protecting affected individuals.
Healthcare organizations can take various steps to prevent data breaches, including implementing strong cybersecurity measures, regularly updating software, training staff on data security, and working with trusted vendors. Regular audits and risk assessments also help identify vulnerabilities.
Read also: Tips on proactive data breach prevention for small healthcare practices
Healthcare organizations can be held accountable for data breaches under laws like HIPAA, which requires them to take reasonable steps to protect patient data. If an organization fails to comply with privacy and security regulations, they could face penalties, fines, and reputational damage.
Go deeper: Understanding HIPAA violations and breaches