I tweeted this yesterday, but probably should note it here too:
When I saw Wolfe Clinic had reported a breach to HHS impacting 542,776 patients, I thought they had just updated their 500k figure from the ransomware attack by Lorenz last year. But it turned out that this was a new, and unrelated report due to the Eye Care Leaders breach in December 2021. Wolfe Clinic was a client of Eye Care Leaders.
In their website notice, Wolfe emphasizes that the breach was of ECL’s system and that there was no evidence that Wolfe’s data had been accessed (although it couldn’t be conclusively ruled out). They write, in part:
As of this writing, Wolfe has not received any reports of identity theft related to this incident. However, in the interest of complete transparency, the information present during the period of unauthorized access may have included our patients’ name, address, date of birth, social security number, diagnostic information, and health insurance information.
Wolfe Clinic’s notice does not state when ECL first notified them of the incident, so it is hard to determine their gap to notification from discovery. And there is still a lot we do not know about the ECL breach, which has impacted or potentially impacted more than 3 million patients by now.