DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

No need to hack when it’s leaking, Wednesday edition: Eyecare Services Partners exposed more than 2 million patients’ SSN – researcher

Posted on April 3, 2024 by Dissent

EyeCare Services Partners  (ESP) is a private company with a network of ophthalmologic, optometric and ambulatory surgery centers. It is headquartered in Dallas, Texas. On February 9, an IT student who was searching the internet for exposed datasets noticed that ESP had an unsecured blob listed on GrayhatWarfare. Due to other work, “JLT” (as he has asked to be called on this site) did not start really investigating the leak until March 1.

Inspection of Unsecured Data

When JLT started looking at the exposed blob, he discovered the server had over 500,000 files available for public download without any authorization. The files included transaction logs for the SQL server and database backups for ESP’s practice brands.

Eyecare Services Partners’ practice brands.

JLT informs DataBreaches that there were approximately 50 TB of data in the unsecured blob.  He wasn’t able to determine the full scope of the leak or the total number of unique patients affected,  but he was able to provide some statistics and estimates:

  • The biggest database backup had 3.1 million patients in the patient table with 1.6 million unique Social Security numbers (SSN).
  • The total number of unique SSN in the database backups was over 2 million, he estimates. There was one instance where patients’ SSN were encrypted, but he later found the same SSNs in plain-text in another database. “The total number of unique patients was not determined, but there’s likely more than 3.5 million,” he estimated.
  • Some databases contained images, but they appeared to be password-protected compressed archives with millions of files.
  • There were patient notes, encrypted transaction data, diagnoses, and patients’ details such as whether the patient was a smoker, a veteran, etc.
  • Health insurance data in the backups included unencrypted date of birth, patient name, insurer, policy number, patient address, and diagnoses.  Some data was in separate tables but could be easily merged.
  • Employee fingerprint data —  most likely related to door scanners — was also found.
  • The server also contained internal databases with credentials and keys to various servers/services. Some were encrypted, but some were in plain-text. JLT did not test the keys or credentials and so does not know if any were valid.

Notifying ESP

On March 15, JLT sent an email to ESP, alerting their CEO and CIO to the situation. “The server was locked down less than 30 minutes after my initial email to them,” he tells DataBreaches. “Some hours later, the CIO emailed me saying they locked it down and inviting me to tell him more. He never asked me any specific questions, though, and he never asked me for my IP address or if I would delete any data,” JLT added.

JLT did not know for how long the blob had been left unsecured or how many people may have accessed or downloaded protected health information from it.

On March 30, DataBreaches emailed James Lumby, the CIO of ESP, and Theresa Bissonnette, their Compliance Officer. The two executives were asked a number of questions about the incident, but no replies have been received.

Given that data was accessed and downloaded, this appears likely to be a reportable breach under HIPAA. If the exposed data fell into criminals’ hands, it could potentially be misused for identity theft or fraudulent purposes. But did it? Hopefully, ESP had good logs and will provide a statement with some forthright answers about access to the exposed data and any downloads.

DataBreaches will continue to monitor this incident to see if it appears on HHS’s public breach tool or the Texas Attorney General’s breach site and will update this post when more information becomes available.

Related posts:

  • Tabb Inc. Security Gaffe Exposes 200,000 Background Check Files for More Than Six Months (2)
Category: Blog

Post navigation

← Cybercriminals Abused Remote Desktop Protocol (RDP) in 90% of Attacks Handled by Sophos Incident Response in 2023
Indiana-based Otolaryngology Associates, LLC notifies 316,802 patients about February cyberattack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group
  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets
  • Franklin, Tennessee Resident Sentenced to 30 Months in Federal Prison on Multiple Cyber Stalking Charges
  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.