On June 5, 2024, Panorama Eyecare filed a notice of data breach with the Attorney General of Maine despite discovering that an unauthorized party had accessed its computer network nearly a year earlier.
What happened
Panorama Eyecare, an eyecare management services organization based in Fort Collins, Colorado, identified unauthorized access to its computer network. According to their notice to the Maine Attorney General, their investigation revealed that the breach occurred between May 22, 2023, and June 4, 2023, affecting 377,911 individuals. The compromised data includes names, Social Security numbers, birth dates, driver’s license numbers, financial details, and medical information.
Going deeper
Despite the breach occurring in June 2023, Panorama only began notifying affected individuals a year later in June 2024, raising concerns about the potential prolonged exposure of sensitive consumer information to unauthorized parties.
Such delays can exacerbate the risks for affected individuals, allowing potential misuse of their compromised information for an extended period. Instead, healthcare organizations must ensure timely and transparent communication in data breach response protocols.
Furthermore, the HHS states “These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach,” to mitigate the potential fallout for affected individuals.”
What was said
According to Panaroma’s Notice of Data Security Incident, “an unauthorized party may have obtained access to Panorama’s internal network. Upon learning of this issue, Panorama secured the environment and commenced a prompt and thorough investigation in consultation with outside cybersecurity professionals who regularly investigate and analyze these types of situations. At this time, all systems and networks are secure.”
Their notice emphasizes that the investigation is ongoing although it “has no evidence that any of the compromised information has been misused for identity theft.” However, “Panorama recommends that its patients review the explanation of benefits statements that they receive from their health insurance providers and follow up on any items not recognized.”
In a copy of their letters sent to the 34 affected Maine residents Panorama Eyecare stated, “Panorama is committed to maintaining the privacy of personal information in our possession and has taken many precautions to safeguard it. Panorama continually evaluates and modifies its practices and internal controls to enhance the security and privacy of your personal information.”
Panorama noted that affected individuals are offered free identity monitoring services for 12 months. The letter suggests that these individuals stay “vigilant in reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis.” Additionally, Panorama has set up a dedicated and confidential toll-free response line to respond to questions.
The bottom line
Providers must notify affected individuals no later than 60 days after the breach is discovered. Furthermore, affected individuals should remain vigilant and consider utilizing identity monitoring services to protect their personal information and mitigate further risks.
Go deeper: Navigating HIPAA’s Breach Notification Rule
