Utah Valley Eye Center

Utah Valley Eye Center, located in the United States, is an eye clinic that experienced a significant data security incident on June 18, 2018. The breach occurred through a compromised third-party patient appointment reminder portal operated by DemandForce, leading to unauthorized access to patient email addresses. This exposure resulted in fraudulent emails impersonating PayPal payment notifications being sent to affected individuals. Although the clinic confirmed that no health or financial information was accessed, attackers potentially obtained additional personal details including names, addresses, phone numbers, and dates of birth. The incident highlighted the persistent risks associated with third-party systems in healthcare. The organization collaborated with its vendor, DemandForce, to implement enhanced security measures and revised internal protocols governing third-party system usage following the breach.

The event underscores a critical vulnerability in healthcare data management where external service providers can serve as entry points for attackers. Utah Valley Eye Center's response involved direct cooperation with the vendor to contain the incident and strengthen security controls. This collaboration focused on preventing recurrence by improving safeguards on the third-party portal and updating the clinic's own policies for vendor engagement. The breach affected patients whose data was stored in the reminder system, though the precise number of individuals is not specified in the available information. The incident serves as an example of how healthcare organizations must extend their security oversight to include all interconnected third-party systems that handle patient information.