Cyber Incident Victim: Holland Eye Surgery & Laser Center
Date:
Jun 2016
Location:
United States of America
Summary
A hacker breached a Michigan eye surgery center, stealing patient data and demanding a "security fee" to secure the information. When the payment was not made, the attacker sold portions of the stolen data on dark web markets and repeatedly attempted to pressure the organization into compliance over nearly two years. The center delayed public disclosure until after the hacker escalated communications with local officials and media outlets. The incident compromised personal information of over 42,000 patients, with some records used for fraudulent financial activities. The organization eventually notified affected individuals and regulatory authorities, offering credit monitoring to those whose Social Security numbers were exposed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 26, 2016, an individual using the alias "Lifelock" (also identifying as "Todd Davis") breached Holland Eye Surgery & Laser Center in Holland, Michigan, by accessing an unsecured Remote Desktop Protocol (RDP) server. The attacker exfiltrated two databases: "patients.csv" containing 202,163 records and "person.csv" containing 42,229 records. Lifelock immediately contacted the practice, demanding a $10,000 "security fee" to help secure the compromised patient data and claimed the center disabled RDP access upon receiving his communications. Over subsequent weeks, Lifelock escalated attempts to collect payment through staff communications, faxes, and verified delivery methods but received no acknowledgment. After the practice refused payment, Lifelock executed his threat to sell patient data on dark web markets AlphaBay and TradeRoute, later claiming to have sold information for over 200 individuals. The attacker stated buyers used the data to create fraudulent bank accounts, obtain cell phones under victims’ identities, and commit other financial crimes. Lifelock repeatedly contacted the practice over two years—approximately 30 times—urging public disclosure but observed no breach notifications to patients, Michigan authorities, or the U.S. Department of Health and Human Services (HHS).
Holland Eye Surgery first publicly acknowledged the incident in a May 18, 2018, media notice, stating they learned of the breach on March 19, 2018, when Lifelock—posing as a penetration tester—contacted them and revealed prior data sales. The practice disputed Lifelock’s assertion of earlier awareness, claiming the hacker "concealed the extent of his or her access until March 2018." External legal counsel confirmed the March communication was signed "Todd Davis." The center reported the breach to HHS as affecting 42,200 individuals, aligning with the "person.csv" file count, and clarified that the larger "patients.csv" file contained duplicate entries rather than additional unique patients. Notifications advised affected patients to monitor financial statements and offered credit monitoring to those whose Social Security numbers were exposed. Lifelock contested the timeline, alleging the center covered up the breach since 2016 and only acted after he contacted Holland’s mayor and DataBreaches.net in March 2018. The attacker provided no corroborating evidence of pre-2018 communications due to deleted emails from defunct service Sigaint. HHS’s Office for Civil Rights (OCR) was urged to investigate the discrepancy in breach discovery dates, while local law enforcement did not respond to records requests. Patient impacts included confirmed identity theft and financial fraud linked to the stolen data.