EyeCare Partners: EyeCare Partners Data Breach Exposes SSNs, Government IDs, and More

EyeCare Partners Reports Data Breach Affecting Patient Information

EyeCare Partners (ECP), a major U.S. healthcare provider, disclosed a data breach that exposed sensitive personal and health information of patients across its network. The incident was reported to the Massachusetts Office of Consumer Affairs and Business Regulation on February 4, 2026, with at least three Massachusetts residents confirmed as affected, though the total nationwide impact remains unspecified.

The breach was first detected on January 28, 2025, after suspicious activity was identified in an ECP-managed email account. An internal investigation, supported by a forensic security firm, revealed that an unauthorized third party had accessed multiple ECP email accounts between December 3, 2024, and January 28, 2025. A comprehensive review, completed on November 11, 2025, determined that exposed data varied by individual but potentially included names, contact details, Social Security numbers, dates of birth, government IDs, health plan information, and limited clinical data. While medical records and detailed clinical notes were not accessed, the breach involved both personally identifiable information (PII) and protected health information (PHI).

In response, ECP secured the compromised accounts, enhanced its security measures, and reinforced employee training on email security. Affected individuals are being offered 24 months of free credit monitoring, credit reports, and fraud assistance through Cyberscout (a TransUnion company), with enrollment required within 90 days of notification. The company has also set up a dedicated inquiry line for further support.

Source: https://www.claimdepot.com/data-breach/eyecare-partners-2026

EyeCare Partners cybersecurity rating report: https://www.rankiteo.com/company/eyecare-partners-com

"id": "EYE1770409358",
"linkid": "eyecare-partners-com",
"type": "Breach",
"date": "12/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Unspecified (at least three '
                                              'Massachusetts residents '
                                              'confirmed)',
                        'industry': 'Healthcare',
                        'location': 'United States',
                        'name': 'EyeCare Partners (ECP)',
                        'size': 'Major',
                        'type': 'Healthcare Provider'}],
 'attack_vector': 'Compromised Email Accounts',
 'customer_advisories': '24 months of free credit monitoring, credit reports, '
                        'and fraud assistance through Cyberscout (TransUnion)',
 'data_breach': {'personally_identifiable_information': ['Names',
                                                         'Contact details',
                                                         'Social Security '
                                                         'numbers',
                                                         'Dates of birth',
                                                         'Government IDs',
                                                         'Health plan '
                                                         'information',
                                                         'Limited clinical '
                                                         'data'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)',
                                              'Protected Health Information '
                                              '(PHI)']},
 'date_detected': '2025-01-28',
 'date_publicly_disclosed': '2026-02-04',
 'description': 'EyeCare Partners (ECP), a major U.S. healthcare provider, '
                'disclosed a data breach that exposed sensitive personal and '
                'health information of patients across its network. The breach '
                'involved unauthorized access to multiple ECP email accounts, '
                'potentially compromising personally identifiable information '
                '(PII) and protected health information (PHI).',
 'impact': {'data_compromised': 'Sensitive personal and health information, '
                                'including PII and PHI',
            'identity_theft_risk': 'High',
            'systems_affected': 'ECP-managed email accounts'},
 'investigation_status': 'Completed',
 'references': [{'source': 'Massachusetts Office of Consumer Affairs and '
                           'Business Regulation'}],
 'regulatory_compliance': {'regulatory_notifications': 'Reported to '
                                                       'Massachusetts Office '
                                                       'of Consumer Affairs '
                                                       'and Business '
                                                       'Regulation'},
 'response': {'communication_strategy': 'Notification to affected individuals, '
                                        'dedicated inquiry line',
              'containment_measures': 'Secured compromised accounts',
              'remediation_measures': 'Enhanced security measures, reinforced '
                                      'employee training on email security',
              'third_party_assistance': 'Forensic security firm'},
 'threat_actor': 'Unauthorized Third Party',
 'title': 'EyeCare Partners Data Breach Affecting Patient Information',
 'type': 'Data Breach'}