Cyber Incident Victim: May Eye Care

On July 29, 2018, May Eye Care Center in Hanover, Pennsylvania, experienced a ransomware attack that compromised its server and electronic medical records system. The breach exposed sensitive patient information, including names, dates of birth, addresses, diagnoses, clinical and treatment details, insurance information, and a limited number of Social Security numbers. The organization discovered the intrusion on the same day and initiated an immediate response. Following HIPAA breach notification requirements, May Eye Care determined that approximately 30,000 patients were affected by the incident. The practice engaged a leading international computer forensics firm to investigate the attack and concurrently notified the Federal Bureau of Investigation (FBI) about the ransomware incident.

May Eye Care implemented several remediation measures following the attack. The organization contracted a specialized information technology security firm to review and enhance its security systems and protocols. Forensic investigators found no evidence that patient data had been directly accessed or misused beyond the encryption caused by the ransomware. The practice successfully restored its systems from backups without paying any ransom, though this recovery process resulted in several days of operational disruption. Between the incident date and October 2018, May Eye Care conducted personalized mail notifications to all affected patients, providing detailed guidance on fraud monitoring through credit bureaus (Experian, TransUnion, Equifax), recommendations to review medical statements and credit reports, and specific instructions for reporting suspected identity theft to law enforcement and Pennsylvania state agencies. The notification emphasized vigilance but clarified that no direct evidence of information misuse had been identified through their investigation.