Texas Tech University Health Science Center Reports Third-Party Data Breach Affecting 1.3 Million Patients | Console and Associates, PC

Recently, the Texas Tech University Health Science Center (“TTUHSC”) confirmed a data breach after Eye Care Leaders, a third-party provider of TTUHSC, reported a data security incident affecting its computer systems. Following the TTUHSC violation, over 1.3 million patients‘Names, social security numbers, addresses, telephone numbers, driver’s license numbers, email addresses, dates of birth, medical record numbers and health insurance information were compromised. On June 7, 2022, the Texas Tech University Health Science Center sent data breach notification letters to all patients affected by the recent breach.

If you have received a data breach notification, it is essential that you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Texas Tech University Health Science Center data breach, check out our recent article on the subject. here.

More details on the Texas Tech University Health Science Center data breach

Based on information provided by the Texas Tech University Health Science Center, the TTUHSC breach was the result of a data security incident at Eye Care Leaders, a third-party provider that TTUHSC relies on for folder management services. electronic clinics.

Evidently, on April 19, 2022, Eye Care Leaders notified Texas Tech University Health Science Center that they had suffered a cyber attack. Evidently, Eye Care Leaders first detected the breach on December 4, 2021, at which point the company secured its systems and initiated an investigation into the incident. Eye Care Leaders claims to have contained the incident within 24 hours. However, the company’s investigation into the breach confirmed that sensitive patient information was contained in the compromised files.

Upon learning of the third-party breach, the Texas Tech University Health Science Center undertook a detailed review of all affected files to determine which patients were affected and what information was leaked. Although the information breached varies by individual, it may include name, address, telephone number, driver’s license number, email address, gender, date of birth, medical record number, health insurance information, health insurance information. appointment, social security number, and medical information related to ophthalmology services obtained through the Texas Tech University Health Science Center.

On June 7, 2022, the Texas Tech University Health Science Center began sending data breach letters to all individuals whose information was compromised as a result of the recent data security incident. TTUHSC has also posted a notice of the infringement on its website.

Texas Tech University Health Science Center is a public medical school based in Lubbock, Texas. TTUHSC is a separate institution from Texas Tech University; however, both universities are part of the Texas Tech University System. TTUHSC operates five schools, including the TTUHSC School of Medicine with campuses in Amarillo, Lubbock and Odessa; TTUHSC School of Nursing with offices in Abilene, Lubbock and Odessa; TTUHSC School of Health Professions with offices in Amarillo, Lubbock, Midland and Odessa; Jerry H. Hodge School of Pharmacy with campuses in Abilene, Amarillo, Lubbock and Dallas; and the TTUHSC Graduate School of Biomedical Sciences with campuses in Abilene, Amarillo and Lubbock. TTUHSC has approximately 4,600 full-time students and serves patients living in more than 100 counties in West Texas.

The Eye Care Leaders Data Breach and Third Party Data Breach Liability

The data breach at Eye Care Leaders is well known at this point. TTUHSC is not the only organization that has experienced the loss of patient information due to the violation of eye care leaders. In fact, after counting the 1.3 million TTUHSC patients, the total number of patients affected by the Eye Care Leaders data breach now exceeds 1.9 million.

HIPAA Journal recently compiled a list of all practices reporting third party data breaches following the Eye Care Leader breach, summarized below:

  • Texas Tech University Health Sciences Center – 1,290,104 patients

  • Regional Eye Associates, Inc. & Morgantown Surgical Eye Center, West Virginia – 194,035 patients

  • Precision Eye Care in Missouri: 58,462 patients

  • Shoreline Eye Group in Connecticut – 57,047 patients

  • Summit Eye Associates in Tennessee – 53,818 patients

  • AU Health in Georgia – 50,631 patients

  • Finkelstein Eye Associates in Illinois – 48,587 patients

  • Moyes Eye Center, PC in Missouri – 38,000 patients

  • McCoy Vision Center in Alabama – 33,930 patients

  • Frank Eye Center in Kansas – 26,333 patients

  • Lori A. Harkins MD, PC dba Harkins Eye Clinic in Nebraska – 23,993 patients

  • Allied doctors and eye surgeons in Ohio – 20,651 patients

  • EvergreenHealth in Washington – 20,533 patients

  • Sylvester Eye Care in Oklahoma – 19,377 patients

  • Arkfeld, Parson and Goldstein, dba Ilumin in Nebraska – 14,984 patients

  • Associate Ophthalmologists of Kansas City, PC in Missouri – 13,461 patients

  • Northern Eye Care Associates in Michigan – 8,000 patients

  • At Astra Eye in Arkansas – 3,684 patients

  • Fishman Vision in California – 2,646 patients

  • Burman & Zuckerbrod Ophthalmology Associates, PC in Michigan – 1,337 patients

This begs the question, who is responsible for a third party data breach such as the Eye Care Leaders breach. Under US data breach laws, all organizations with consumer data have an obligation to safeguard the information they hold. This includes those organizations that directly receive consumer information (eg TTUHCS) as well as third party suppliers (eg Eye Care Leaders).

In the case of the TTUHSC data breach, there is no indication that TTUHSC was negligent in maintaining its data security systems. However, depending on the evidence that will come out in the future, there is a possibility that TTUHSC has negligently entrusted the consumer data to Eye Care Leaders. For example, this could be the case if TTUHSC had reason to believe that Eye Care Leaders’ servers were unsecured or that the company had a history of data security issues. Of course, Eye Care Leaders could potentially be responsible for the breach as well, provided there is evidence that the company was negligent in handling consumer data.

Organizations and their data security systems are the first line of defense against cyber attacks. Those organizations that choose not to maintain robust data security systems do so by putting consumer privacy at risk and should be held accountable for their misplaced priorities.

Leave a Comment

Your email address will not be published.