42,000 patients impacted by 2016 breach of Michigan provider

A hacker told Holland Eye Surgery and Laser Center in March that they had accessed a patient list, but an investigation revealed that another access occurred back in 2016.
By Jessica Davis
01:56 PM
patients medical records breach of Michigan eye doctor

Michigan-based Holland Eye Surgery and Laser Center is notifying 42,200 of its patients that an unauthorized user hacked into a patient database in 2016 and potentially accessed their records.

A pen tester contacted Holland officials on March 19 and said they accessed a patient list containing personal data. The provider launched an investigation and discovered the hacker did indeed access the list in June 2016, but "concealed the extent of his or her access" until the March emails.

[Also: The biggest healthcare data breaches of 2018 (so far)]

The list contained demographic information, along with data that varied by patient, such as health insurance information, Social Security numbers and dates of birth.

Law enforcement was notified and officials have continued to investigate since the hacker notified the provider.

What’s concerning is that the hacker claimed to have sold some of the data from a small group of patients contained in the list "for reasons believed to be related to fraud." But Holland has no way of confirming whether this is true.

So far, officials said they haven’t received any verifiable reports that data included in the breach was misused outside of the hacker’s access. Holland did not respond to a request for comment.

The patients contained in the breached database whose Social Security numbers were stolen are being offered a year of free credit monitoring. But all patients are being told to monitor their credit for any irregular activity.

Officials said they’re working on strengthening their network security to prevent similar events in the future.

Breached and misconfigured databases are continuing to be a problem for the healthcare sector. Organizations should continually monitor network and database settings to detect any abnormal behavior.

Healthcare Security Forum

The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com