Houston Eye Associates potential data breach reported

ClassAction.org said on May 20 that attorneys are investigating a possible data breach involving Houston Eye Associates after a ransomware group claimed responsibility for a cyberattack. The legal referral site said the alleged incident was tied to a May 14 post on Ransomware.Live naming threat actor Cmdorganization. (classaction.org) Houston Eye Associates, an ophthalmology practice serving Greater Houston, had not confirmed a breach in the material reviewed Thursday. The federal breach portal run by the U.S. Department of Health and Human Services also did not show Houston Eye Associates among listed cases under investigation at the time of review. (ocrportal.hhs.gov) ### What exactly has been reported so far? ClassAction.org said “emerging reports” suggest Houston Eye Associates experienced a data breach, but its page also said the provider had “yet to confirm” the possible incident. The site framed the matter as a lawsuit investigation and asked to hear from current and former patients and employees who believe their information may have been exposed. A separate law-firm page from Mason LLP said Houston Eye Associates had been identified in connection with a reported security incident involving claims by the “Cloak” ransomware group, but added that the “full scope and nature” of any affected data had not been publicly confirmed beyond third-party reporting. (classaction.org) That conflict in threat-actor naming underscores the main point at this stage: public reporting exists, but confirmed facts remain limited. ### Has Houston Eye Associates itself confirmed a breach? Houston Eye Associates’ public website reviewed Thursday did not show a breach notice on the patient portal or privacy-practices pages that were accessible in search results. (classaction.org) The site does publish a Notice of Privacy Practices, revised May 1, 2020, describing how protected health information may be used and disclosed. The HHS Office for Civil Rights breach portal, which lists breaches of unsecured protected health information affecting 500 or more people that have been reported to the secretary, did not display Houston Eye Associates in the results reviewed Thursday. That does not rule out an incident; it means a federal filing was not visible there at the time of review. (masonllp.com) ### What information could be at issue if a breach is confirmed? ClassAction.org listed the impacted data as “TBD,” meaning it did not identify confirmed categories of exposed information. (houstoneye.com) Houston Eye Associates’ own patient materials show the practice handles sensitive personal and medical data in the ordinary course of care, including treatment, billing and insurance information. A patient registration form hosted on its website includes fields for name, address, phone numbers, date of birth, employer information and Social Security number, while its privacy notice describes use of medical and insurance information for treatment and payment. (ocrportal.hhs.gov) ### Why are lawyers already soliciting potential claimants? ClassAction.org said a successful class action, if filed, could seek money for loss of privacy, time spent dealing with the incident and out-of-pocket costs. (classaction.org) The site urged people who think they were affected to contact attorneys investigating the matter. That solicitation does not establish that a breach occurred or that any lawsuit will be filed. It shows plaintiff-side lawyers are trying to identify potentially affected people while the public record is still developing. (houstoneye.com) ### What should patients watch for next? The next concrete step would be a notice from Houston Eye Associates, a filing on the HHS Office for Civil Rights breach portal, or both. The federal portal is the main public tracker for reported healthcare breaches affecting 500 or more people, and Houston Eye Associates’ privacy notice says revised notices are posted in its offices and on its website. (classaction.org) As of Thursday, May 21, neither the ClassAction.org post nor the federal breach portal provided a confirmed number of affected individuals. Patients looking for updates would most likely find the next public record through Houston Eye Associates’ website, mailed notices, or a later HHS OCR posting. (classaction.org) (ocrportal.hhs.gov)