Statement on recent Visionworks privacy issue affecting 75,000 customers (update2)
An investigation is currently underway to locate a missing database server, which was replaced on June 2, 2014 during scheduled upgrades. The server potentially held partially unencrypted protected health information belonging to as many as 75,000 of the store’s customers. All credit card information housed on the server was encrypted, and therefore should not be at risk.
While the location of the server has yet to be determined, it is believed to have been sent to one of the store’s local landfills along with other miscellaneous refuse. At this time, there is no reason to believe that any of the information residing on the server has been accessed or used inappropriately.
Nevertheless, Visionworks is notifying the potentially affected customers of the incident and informing them of the associated personal risks in an abundance of caution. In addition, Visionworks will provide those customers with free credit monitoring for one year.
In resolving this issue, Visionworks will comply with the state and federal notification requirements as provided by the HITECH Act of 2009.
Visionworks members are asked to direct questions and concerns related to this issue to 1-888-778-7161.
Update: See also coverage on PennLive.
Update2: Visionworks notification to the New Hampshire Attorney General’s Office. From their description, the server held the following types of PII and PHI:
- home and work telephone numbers
- health insurance information: group name, group number, visioncare member ID and expiration date
- date of birth
- referral source
- service type and purpose of visit
- date of last visit
- current balance
- patient status
- work order information
- optical prescription