Data Breach Notification,
Data Security,
Fraud Management & Cybercrime
Recent Cyberattacks Target Ophthalmology Practices in South Dakota and Florida
Black Hills Regional Eye Institute in South Dakota and Retina Group of Florida have recently reported data breaches that impacted over 260,000 patients collectively. These incidents are among several significant data breaches affecting eye care providers in recent months, highlighting vulnerabilities within the healthcare sector.
The Black Hills Regional Eye Institute, located in Rapid City, disclosed that their hacking incident, associated with data theft, impacted nearly 107,000 individuals. Initial reports were made to federal regulators in March, but it was not until August 29 that the institute issued a formal notice to affected parties detailing the breach.
According to their investigation, suspicious activity was noted within BHREI’s network as early as January 4, prompting immediate security measures, including taking down critical IT systems. Investigations confirmed that sensitive information, including names, Social Security numbers, dates of birth, and medical records, may have been compromised.
Retina Group of Florida Incident
Meanwhile, Retina Group of Florida, a prominent eye care practice with multiple locations in Florida, reported that their breach affected approximately 153,000 patients. This incident was disclosed to the U.S. Department of Health and Human Services on September 3, although a formal public notice has not yet appeared on their website.
As of the latest updates, several law firms have begun investigating potential class-action lawsuits against both BHREI and Retina Group of Florida in response to the data breaches. The incidents serve as stark reminders of the ongoing cybersecurity issues within the healthcare sector, as over 500,000 individuals have been affected by similar breaches this year alone, according to the HHS Office for Civil Rights HIPAA Breach Reporting Tool.
This surge in attacks on niche healthcare providers, especially ophthalmology practices, may reflect a broader trend where smaller organizations face significant cybersecurity challenges. Such entities often operate with constrained budgets and limited security expertise, increasing their vulnerability to cyber threats. Errol Weiss, Chief Security Officer at the Health Information Sharing and Analysis Center, emphasized that these smaller practices are often easy targets for opportunistic attackers.
The techniques employed in these attacks can likely be mapped to the MITRE ATT&CK framework, with potential tactics including initial access, persistence, and data exfiltration. Understanding these tactics and the methods behind such breaches can aid business owners in fortifying their systems against emerging cyber threats, which continue to endanger sensitive patient data and organizational integrity.
