The Colorado-based eyecare company has alerted regulators of a data breach that occurred in 2023.
Panorama Eyecare is a physician-led management service organization that partners with a variety of eye care clinics across the country, most notably in Colorado.
The company was founded in 2021 and sprung into success with a $150 million initial capital investment from Archimedes Health Investors. They own or provide services to dozens of practices, offering IT departments, HR, payroll, marketing, and more to their partner companies. Despite impressive growth, the company is now under fire for disclosing a data breach nearly a year after it occurred.
Panorama Eyecare told Maine and Massachusetts regulators that 377,911 current and former patients and employees had data stolen in a 2023 attack.
Impacted information includes names in combination with other personal information, such as addresses, telephone numbers, dates of birth, Social Security numbers, driver’s license numbers, driver’s license state, military identification numbers, passport numbers, bank account and credit card information, health and medical history, email addresses and passwords, and more.
In a statement, Panorama said an investigation determined that its network was accessed between May 22, 2023, and June 4, 2023.
The company said they immediately began investigating the compromise as soon as it was discovered. May 9th, 2024, is listed as when Panorama discovered the event. On their notice, they also determined that the malicious actor had accessed and/or acquired personal information on this day.
Panorama added that they currently have “no evidence that any of the information has been used for identity theft or financial fraud as a result of this incident.” On the Maine Attorney General's website, the event is listed as caused by external hacking.
In response to the event, Panorama is offering impacted individuals two years of free identity protection services.
According to some sources, the now-defunct ransom gang, LockBit, claimed the attack. Allegedly, before LockBit’s site was seized by the FBI, the organization stated they had stolen 798 gigabytes of data in July of 2023.
When LockBit was successfully taken down, FBI Cyber Assistant Director Bryan Vordran said they had obtained more than 7,000 decryption keys that could be utilized by victims to take their data back.
Panorama never addressed the claims made by LockBit and LockBit never posted further proof of the data.
Most of LockBit’s infrastructure and stolen data were seized, but reports from February show some of the actors behind the operation have resurfaced. While it’s impossible to be certain, data potentially stolen from Panorama may have been destroyed in the initial seizure.
As cyberattacks pile up, so are the lawsuits. With increasing public awareness and focus on data security, companies victimized by cyber-attacks are often being sued under class action lawsuits.
HIPAA regulations state that data breaches must be disclosed within 60 days of discovery, but with lengthy investigation processes, many organizations are failing to meet that guideline. While Panorama provided notice after the discovery, they may face other repercussions for the length of time it took to discover the incident. Currently, at least one firm is investigating claims related to the breach.
It's exceptionally important for organizations to monitor their network for suspicious activity. When attacks go undetected, it means potential vulnerabilities could remain in place or can lead to difficulties documenting the attack and alerting impacted individuals, which becomes challenging as more time passes.
Alongside regularly monitoring network activity, organizations need to stay up to date on evolving strategies and best practices. While network hacking is a broad term that can encompass a variety of strategies criminals use, like entering through weak entry points, spoofing, determining passwords, and more, organizations should constantly be evaluating recent trends.
According to a recent report on the state of cybersecurity, attacks are increasing and utilizing novel approaches. Companies should prepare for attacks with the mindset that they may be inevitable.
Despite many healthcare organizations being aware of increasing challenges, it can be difficult for newer organizations to get their safety up to par. Many struggle with finding qualified cybersecurity professionals or utilizing tools to their full capacity. While this can be a challenging hurdle to overcome, it’s necessary for data security that impacts a company’s overall success, financial status, and reputation. For companies unable to have sufficient dedicated cyber professionals in-house, outsourcing can be the best solution.
Thankfully, as far as Panorama has stated, the stolen information has not been misused. As a ransomware organization, LockBit would have likely tried to extort funds from Panorama if it had not been seized. Healthcare organizations should never succumb to these demands.
When preparing for attacks, companies should also determine how they will operate if they indeed fall victim. This may include creating a response plan, storing backup files, and having a system in place if the company experiences downed operations.
Breaches in the healthcare sector cost, on average, $10.93 million and can lead to devastating consequences for impacted practices and patients. Yet many breaches are completely avoidable.
Cloudticity has been a leader in managed security for healthcare over the last decade and has never suffered a data breach. We use a proven security tech stack and the best services and tools available.
As a company dedicated to protecting healthcare organizations, we have tools specifically designed to alleviate modern staffing and technology concerns. By trusting us with cybersecurity, you can focus on what really matters–serving your patients.
Learn more about how Cloudticity’s Managed Security for Healthcare can help you address cybersecurity trends. Reach out today for a free consultation.