Cyber Incident Victim: U.S. Vision
Date:
Apr 2021
Location:
United States of America
Summary
A cybersecurity incident at U.S. Vision involved unauthorized access to its systems, compromising sensitive patient and employee data including names, Social Security numbers, addresses, dates of birth, health insurance details, medical records, treatment information, and financial data. The breach impacted affiliated eye care practices that relied on the company's administrative services, prompting notifications to affected individuals after an investigation confirmed the scope. The organization responded by securing its network and engaging cybersecurity experts to address the intrusion, which occurred over a multi-week period. Compromised information varied by individual but exposed victims to potential identity theft and fraud risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 12, 2021, U.S. Vision, Inc. detected suspicious activity within its computer network, prompting the company to secure its systems and engage a third-party cybersecurity firm to investigate the incident. The subsequent investigation determined that an unauthorized actor had accessed U.S. Vision’s systems between April 20, 2021, and May 17, 2021, compromising sensitive patient and employee data. Affected information included full names, Social Security numbers, addresses, dates of birth, taxpayer identification numbers, driver’s license numbers, financial account details, protected health information (including medical record numbers, dates of service, provider names, diagnoses, symptoms, and prescriptions), health insurance data, and billing and claims information. U.S. Vision could not immediately identify which specific individuals were impacted, delaying notification to downstream entities. The breach stemmed from U.S. Vision’s role as an administrative services provider for multiple eye care practices, including Nationwide Optometry, P.C., SightCare, Inc., and Nationwide Vision Center, LLC—entities previously affiliated with U.S. Vision before their 2019 acquisition by Nationwide Optical Group, LLC, which continued relying on U.S. Vision’s systems post-acquisition.
U.S. Vision completed its investigation on September 22, 2022, confirming the scope of compromised data and notifying the affected practices. Nationwide Optometry, SightCare, and Nationwide Vision Center subsequently filed breach notices with the Montana Attorney General on October 28, 2022, and mailed individualized data breach letters to impacted patients and employees that same month. The letters detailed the types of exposed information and warned recipients of heightened identity theft and fraud risks. U.S. Vision, founded in 1885, operates optical centers within retail chains like JCPenney and Meijer, employing over 2,700 personnel and generating approximately $300 million annually. The breach exposed administrative and clinical data from practices under both current and former affiliations with U.S. Vision, though the exact number of affected individuals was not disclosed in the filings. No technical specifics regarding the attack vector, containment measures beyond system securing, or threat actor attribution were provided in the Montana Attorney General submissions or subsequent public disclosures by the involved entities.