Reeve-Woods Eye Center notifies 30,000 patients after malware discovered on computers

One of the recent additions to HHS’s public breach tool involves a breach at Reeve-Woods Eye Center in California.

In a November 12th notification letter to those affected, they write:

Dear Patient or Patient’s Personal Representative,

I am writing on behalf of Reeve-Woods Eye Center (the “Eye Center”), which is an eye clinic with two facilities: (1) 460 W. East Avenue, Suite 110, Chico, California 95926; and (2) 6009 Pentz Road, Paradise, California 95969. We recently discovered a security breach of the Eye Center’s computer systems that may have compromised the privacy of patients’ personal health information. We are sending this letter to you to notify you of a possible breach of your personal information as part of our commitment to patient privacy.

On September 17, 2014, our information technology consultant discovered that unknown individuals had breached the Eye Center’s server and installed malware on two computers, one at each facility. The malware was capturing screenshots (i.e., a copy or image of what is seen on a computer screen at a given time) which included patients’ protected health information. We suspect the malware may have been installed in or around August 2014. The following is a non-exhaustive list of the types of information about patients that may have been accessed: name; social security number; date of birth; home address; phone numbers; dates of service; Medi-Cal ID number, Medicare ID number, and/or other insurance information; information regarding Medi-Cal appeals; diagnosis codes; treatment information; and medical history.

As of the date of this notice, we have not seen any evidence that shows patients’ information was actually viewed or otherwise utilized by a third party. Our investigation, however, is ongoing, and we may uncover evidence your personal information was inappropriately accessed. We are alerting all of our current and former patients about the security breach and ongoing investigation. In addition to heightening our computer system’s security, we have ensured that the malware was removed from our computers and will be providing additional training to our staff concerning the protection of patient information. We have not yet identified the individuals responsible for this, but we have notified federal law enforcement and are taking further steps to avoid any future breaches of our computer systems.

[…]

A copy of the full notification letter is available on the California Attorney General’s web site (pdf).

According to their notification to HHS, 30,000 patients were potentially affected by this breach.

About the author: Dissent