Cyber Incident Victim: Medical Eye Services
Date:
May 2023
Location:
United States of America
Summary
Medical Eye Services suffered an external system breach compromising the personal information of hundreds of thousands of individuals. The incident resulted in the acquisition of names in combination with Social Security Numbers. The organization offered affected individuals complimentary identity theft protection services, including credit monitoring and fraud consultation, for a twelve-month period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 28, 2023, and again on May 31, 2023, Medical Eye Services, Inc., a commercial entity operating from 20081 Ellipse in Foothill Ranch, California, experienced an external system breach. The incident was characterized as hacking, which resulted in unauthorized access to the company's information systems. The breach was not discovered until August 23, 2023, nearly three months after the initial intrusion events. This delay indicates a period during which the unauthorized activity went undetected within the network. The investigation into the breach confirmed that the attacker or attackers successfully acquired sensitive personal information belonging to a significant number of individuals.
The information acquired during the breach was confirmed to include the name or other personal identifier of each affected individual in combination with their Social Security Number. This specific combination of data is highly sensitive and is classified as personal information under many state data breach notification laws. The compromise of Social Security Numbers in particular creates a substantial risk of identity theft and financial fraud for the victims, as these identifiers are central to many financial and governmental processes.
The total number of persons affected by this security incident was 346,828. This figure includes individuals from across the United States. Among this total, 19 were identified as residents of the state of Maine. The scale of the breach, affecting over a third of a million people, categorizes it as a significant cybersecurity event with widespread impact on a large patient or customer population.
The entity responsible for handling the breach notification process was Venable LLP, a law firm acting as an outside attorney for Medical Eye Services. The submission was made by Juliana Reno, a Partner at the firm, whose contact information was provided to the Maine Attorney General's office. The involvement of external legal counsel suggests that the incident required specialized expertise in regulatory compliance and data breach response protocols.
Medical Eye Services, operating under the name MESVision, determined that written notification was the appropriate method for informing affected individuals of the breach. The company began notifying consumers on November 14, 2023. This date is approximately five and a half months after the breach occurred and nearly three months after its discovery. The time elapsed between discovery and notification suggests a period was dedicated to conducting a comprehensive investigation to determine the full scope of the compromise, identify all affected individuals, and prepare the necessary mailing materials.
A copy of the individual notice sent to affected Maine residents was provided to the state authorities under the filename "MES Individual Notice Template 11.14.2023.pdf." This document would have contained the details of the incident as required by law, including what happened, what information was involved, and what steps the company was taking in response. Furthermore, the notice informed victims of the specific protective measures being offered to them.
In response to the breach and the high-risk nature of the data exposed, Medical Eye Services offered identity theft protection services to all affected individuals. The company engaged Kroll, LLC to provide these services. The offering included a comprehensive suite of protections designed to help mitigate the risk of identity theft following the exposure of Social Security Numbers. The services encompassed identity monitoring, credit monitoring, fraud consultation, and identity theft restoration support. The duration of these provided services was for a period of 12 months from the date of enrollment, giving affected individuals a full year of monitoring and support.
The breach was reported to the Maine Attorney General's consumer protection division, which maintains a public log of data security breaches affecting state residents. The reporting entity confirmed that the consumer reporting agencies were not required to be notified, as the number of affected Maine residents was 19, which is below the 1,000-person threshold that triggers that specific requirement under Maine law. The incident serves as a factual example of a targeted cyber attack on a healthcare-related service provider, resulting in the large-scale exfiltration of personally identifiable information. The consequences for the 346,828 affected individuals involved an elevated and prolonged risk of identity theft, necessitating a year of vigilant monitoring of their financial and personal records. The organizational response involved legal counsel, a detailed investigation, compliance with state notification laws, and the provision of protective services to attempt to redress the potential harm caused by the data compromise.