Cyber Incident Victim: Center for Vitreo-Retinal Diseases

On September 18, 2018, the Center for Vitreo-Retinal Diseases in Illinois discovered a ransomware attack affecting its servers, prompting an immediate investigation to assess potential data exposure. The investigation revealed that an unauthorized third party may have gained access to patient records stored on the compromised systems, though no evidence confirmed actual viewing or extraction of data. Patient information potentially exposed included names, addresses, phone numbers, dates of birth, insurance details, health records, and Social Security numbers for Medicare beneficiaries. Despite the absence of proof that attackers accessed or misused the data, the center classified the incident as an unauthorized access/disclosure event involving protected health information. The investigation concluded that the ransomware attack created a risk of exposure sufficient to warrant patient notification under regulatory requirements.

The center formally notified the U.S. Department of Health and Human Services (HHS) on November 16, 2018, disclosing that 20,371 patients were affected. Notification letters were mailed the same day, detailing the incident’s scope and offering a toll-free call center (operating weekdays from 8:00 AM to 8:00 PM Central Time) for patient inquiries. While reiterating no evidence of actual data misuse, the center emphasized its commitment to patient privacy and described implementing enhanced security measures to prevent future breaches. The public notice expressed regret for any patient concerns but did not specify technical details of the ransomware variant, attack vectors, or containment procedures beyond general server remediation. No ransomware payment or data recovery demands were mentioned in the disclosed information.