20/20 Eye Care Network, Inc. is a managed vision care company that offers a complete array of third party services through its network of ophthalmologists, ambulatory surgical centers, and retail vision centers. The company is based in Hialeah, FL and is owned by parent company, iCare Health Solutions, an ocular health services provider for health plans.
Description
20/20 Eye Care Network, Inc. detected unusual network activity on January 11, 2021, involving their AWS cloud storage environment. The breach was verified on February 18 and a forensic investigation would later confirm that the AWS S3 storage buckets had been compromised, allowing attackers to access the hosted data and exfiltrate it to a third-party site. The data included the personal health information of over 3.2 million health plan members including names, Social Security numbers, birth dates, member ID numbers and health insurance information. Because the buckets were deleted by the attackers, it was impossible to determine which individuals had been affected in the attack. The company sent out notification letters to all plan members in May. After receiving her notification letter on May 28, Kristi Hoffman-Mock filed suit against 20/20 Eye Care Network and iCare Health Solutions in the U.S District Court for the Southern District of Florida. The suit was filed on her behalf and additional class members.
Basis of the Case
The Plaintiff claims that her credit card was used to make fraudulent purchases over the internet shortly after receiving her notification letter. She says that her mail was diverted to a different address and that the volume of voice phishing calls has increased significantly. The Plaintiff asserts that the Defendant failed to take adequate and reasonable measures to ensure that its data systems were protected and did not disclose the lack of adequate security systems and practices to their patients. She also claims that the defendant failed to provide the Plaintiff and Class Members prompt and accurate notice of the data breach. The suit references the fact that the Defendant failed to comply with HIPAA security standards such as the failure to protect against any reasonably-anticipated threats, security hazards or data integrity of electronic protected health information (ePHI).
A settlement was announced weeks ago, establishing a fund of $3 million will be created to cover claims filed by any individual affected by the data breach. Class members are entitled to submit claims of up to $2,500 to recover out-of-pocket losses, including the reimbursement of ten hours of lost time spent dealing with the incident. Victims who suffered documented losses to identity theft and fraud may file a claim for up to $5,000. All individuals have the option to accept either 36 hours of credit monitoring services or receive an equivalent cash payment in lieu of those services.
Call to Action
HIPAA requires that any health care provider who transmits health information in electronic form in connection with a transaction must ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit. These organizations must also identify and protect against reasonably anticipated threats to the security or integrity of the information. This includes any personal identifiable information (PII) stored in the cloud. While computer cloud providers provide a shared security model for their customers, many organizations are confused as to what their responsibilities are according to these agreements. In the end, an organization is responsible for securing anything they upload to the cloud.
If your company utilizes cloud services for application hosting and are unsure as to what your duty of care is regarding cybersecurity, a Duty of Care Risk Assessment (DoCRA) is a great place to start. This risk assessment process is an easy way to establish security strategies and controls that will hold up to the scrutiny of regulators, attorneys, and executive management. HALOCK’s team of security professionals have performed hundreds of these assessments and can help you establish reasonable security based on your assessment findings as well as the mission, objectives, and obligations of your organization.