Texas Tech University Health Sciences Center Pwned As Part Of A Larger Event…. Up To Two Million Patients Affected

Texas Tech University Health Sciences Center has confirmed that the protected health information of 1,290,104 patients was compromised in a data breach at its electronic medical record vendor, Eye Care Leaders.

Eye Care Leaders said it detected a breach on Dec. 4, 2021, and disabled the affected systems within 24 hours. Texas Tech University Health Sciences Center said it received the final results of the forensic investigation on April 19, 2022. The compromised information included the following data elements: name, address, phone numbers, driver’s license number, email, gender, date of birth, medical record number, health insurance information, appointment information, social security number, as well as medical information related to ophthalmology services. No evidence of data exfiltration was found. But I’ll point out that it doesn’t mean that it didn’t happen. It just means that there’s no proof that it did.

Over the past few weeks, the number of eye care providers known to have been affected by the Eye Care Leaders data breach has been growing. At least 20 eye care providers have confirmed they have been affected and the protected health information of at least 1.9 million patients is known to have been exposed.

As the value of stolen credit cards has gone down in value, the value of health records has gone up.  With a complex web of interconnected providers in the healthcare space, many being small businesses, its impossible for the security safeguards in HIPAA to be fully maintained across the board.  That said, a breach at an Electronic Healthcare Records provider is especially concerning, as these are the types of vendors those small mom and pops rely on to provide more secure solutions than they could build on their own.

It’s commendable that they had their own incident response team that did detect a breach rather than it being reported by a 3rd party…a good sign that they are doing the right things.  For those who haven’t been through an investigation like this before, it is worth noting that there are many reasons that “no evidence of data being exfiltrated” could be found.  Very often logs that would have showed evidence aren’t kept for long enough…or at all.  If forensics teams don’t have the right data to work form, it becomes impossible to prove an exfiltration.  And there will be legal and executive pressure to state that no evidence was found in the absence of clear data that it was.  In short, anyone who was part of this breach still might be well off to scrutinize their bills closely, and be prepared to find healthcare services procured in their name at some later date, unfortunately.

We’ll have to see how bad this breach is. Starting with info showing up on the dark web which would be a sign that data was stolen. You might want to stay tuned to this one as I suspect I may be providing an update.

Leave a Reply