Texas Technical University Health Center reports data breach from third countries affecting 1.3 million patients | Console and collaborators, computer

The Texas University of Technology’s Center for Health (TTUHSC) recently confirmed a data breach after Eye Care Leaders, a third-party provider of TTUHSC, reported a data security incident affecting its computer systems. As a result of the TTUHSC infringement, more than 1.3 million patients‘Names, social security numbers, addresses, telephone numbers, driver’s license numbers, e-mail addresses, dates of birth, medical record numbers and health insurance information have been compromised. On June 7, 2022, the Texas Technical University Health Center sent data breach notification letters to all patients who were affected by the recent breach.

If you have been notified of a data breach, it is important that you understand what is at risk and what you can do about it. To learn more about how to prevent yourself from becoming a victim of fraud or identity theft and what your legal options are after a data breach at the Texas University of Technology Health Center, please see our recent article on the subject here.

More details about the data breach at the Texas Technical University Health Center

Based on information provided by the Texas Technical University Health Center, the TTUHSC breach is the result of a data security incident at Eye Care Leaders, a third-party provider that TTUHSC relies on for electronic health record management services.

Apparently, on April 19, 2022, eye care managers informed the Texas Technical University Health Center that he had suffered a cyber attack. Apparently, eye care leaders first discovered the breakthrough on December 4, 2021, at which point the company secured its systems and launched an investigation into the incident. Eye Care Leaders say they have mastered the incident within 24 hours. However, the company’s investigation into the violation confirmed that the compromised files contained sensitive information about patients.

After learning of the third-party breach, the Texas Technical University Health Center undertook a detailed review of all affected files to determine which patients were affected and what information was leaked. Although the information violated varies from individual to individual, it may include your name, address, telephone number, driver’s license number, email address, gender, date of birth, medical record number, health insurance information, appointment information, social security number and medical information related to ophthalmic services obtained through the Texas Tech University Health Center.

On June 7, 2022, the Texas University of Technology Health Center began sending data breaches to anyone whose information has been compromised as a result of a recent data security incident. TTUHSC also published a notice of infringement on its website.

The Texas Tech University Health Center is a public medical school based in Lubbock, Texas. TTUHSC is a separate institution from Texas Tech University; however, both universities are part of the Texas Tech University system. TTUHSC operates five schools, including the TTUHSC School of Medicine with campuses in Amarillo, Lubbock and Odessa; TTUHSC School of Nursing with campuses in Abilene, Lubok and Odessa; TTUHSC School of Health Professions with campuses in Amarillo, Lubbock, Midland and Odessa; Jerry H. Hodge School of Pharmacy with campuses in Abilene, Amarillo, Lubbock and Dallas; and TTUHSC Graduate School of Biomedical Sciences with campuses in Abilene, Amarillo and Lubbock. TTUHSC has approximately 4,600 full-time students and serves patients living in more than 100 counties in West Texas.

Data breach of leaders in eye care and liability for data breach by third parties

The data breach in Eye Care Leaders is well known at this stage. TTUHSC is not the only organization that has leaked patient information as a result of a violation of leaders in eye care. In fact, after counting 1.3 million TTUHSC patients, the total number of patients affected by the Eye Care Leaders data breach now exceeds 1.9 million.

The HIPAA Journal recently compiled a list of all practices reporting third-party data breaches as a result of an Eye Care Leader breach, summarized below:

  • Texas Tech University Health Research Center – 1,290,104 patients

  • Regional Eye Associates, Inc. and Morgantown Surgical Eye Center in West Virginia – 194,035 patients

  • Precision Eye Care in Missouri – 58,462 patients

  • Shoreline Eye Group in Connecticut – 57,047 patients

  • Summit Eye Associates in Tennessee – 53,818 patients

  • AU Health in Georgia – 50,631 patients

  • Finkelstein Eye Associates in Illinois – 48,587 patients

  • Moyes Eye Center, PC in Missouri – 38,000 patients

  • McCoy Vision Center in Alabama – 33,930 patients

  • Frank Eye Center in Kansas – 26,333 patients

  • Lori A. Harkins MD, PC dba Harkins Eye Clinic in Nebraska – 23,993 patients

  • Allied Eye Physicians & Surgeons in Ohio – 20,651 patients

  • EvergreenHealth in Washington – 20,533 patients

  • Sylvester Eye Care in Oklahoma – 19,377 patients

  • Arkfeld, Parson and Goldstein, dba Ilumin in Nebraska – 14,984 patients

  • Associated ophthalmologists from Kansas City, PC in Missouri – 13,461 patients

  • Northern Eye Care Associates in Michigan – 8,000 patients

  • Ad Astra Eye in Arkansas – 3684 patients

  • Fishman Vision in California – 2646 patients

  • Burman & Zuckerbrod Ophthalmology Associates, PC in Michigan – 1337 patients

This raises the question of who is responsible for third-party data breaches, such as the Eye Care Leaders breach. Under United States data breaches, all organizations that hold user data have an obligation to keep the information they hold. This includes those organizations that directly receive information from consumers (ie TTUHCS), as well as third-party providers (ie Leaders in Eye Care).

In the event of a breach of TTUHSC data, there is no indication that TTUHSC has been negligent in maintaining its own data security systems. However, depending on the evidence available in the future, it is likely that TTUHSC has inadvertently entrusted consumer data to leaders in eye care. For example, this could be the case if TTUHSC had reason to believe that Eye Care Leaders’ servers were not secure or that the company had a history of data security issues. Of course, eye care leaders could also be held accountable for the breach, provided there is evidence that the company was negligent in handling user data.

Organizations and their data security systems are the first line of defense against cyber attacks. Those organizations that choose not to maintain robust data security systems do so with a high risk to user privacy and must be held accountable for their misaligned priorities.

Leave a Comment

Your email address will not be published.