The California Office of the Attorney General disclosed a data breach affecting Medical Eye Services, Inc. in January 2024. The incident involved unauthorized access to sensitive information stored on the MOVEit server, occurring between May 28, 2023, and May 31, 2023. The breach exposed data of individuals enrolled in vision benefit plans, with at least 70 Rhode Island residents confirmed as impacted. The compromised data likely included personal and possibly medical information, though the exact scope of exposed details (e.g., names, policy numbers, or clinical records) was not explicitly outlined. The breach was attributed to a vulnerability in the MOVEit file transfer platform, a widely exploited zero-day flaw in 2023. While the company did not specify whether the data was exfiltrated or misused, the exposure of health-related records raises concerns about potential identity theft, fraud, or phishing risks for affected individuals. As a healthcare-adjacent entity, the incident underscores the sector’s vulnerability to third-party software exploits, particularly when handling protected health information (PHI). The delayed disclosure (eight months post-breach) may also have compliance implications under state and federal regulations, including HIPAA and California’s data protection laws.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-580194
TPRM report: https://www.rankiteo.com/company/medical-eyeglass-center
"id": "med226091825",
"linkid": "medical-eyeglass-center",
"type": "Breach",
"date": "5/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 70,
'industry': 'Healthcare (Vision Benefits)',
'location': 'California, USA (with impacted '
'individuals in Rhode Island)',
'name': 'Medical Eye Services, Inc.',
'type': 'Healthcare Provider'}],
'attack_vector': 'Exploitation of MOVEit Server Vulnerability',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 70,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII related to vision benefit '
'plans)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_publicly_disclosed': '2024-01-30',
'description': 'The California Office of the Attorney General reported a data '
'breach involving Medical Eye Services, Inc. The breach '
'involved unauthorized access to information on the MOVEit '
'server, occurring on May 28, 2023, and May 31, 2023, '
'potentially affecting individuals enrolled in vision benefit '
'plans. The number of individuals impacted includes 70 Rhode '
'Island residents.',
'impact': {'data_compromised': True,
'identity_theft_risk': True,
'systems_affected': ['MOVEit Server']},
'initial_access_broker': {'entry_point': 'MOVEit Server Vulnerability',
'high_value_targets': ['Vision benefit plan '
"enrollees' PII"]},
'post_incident_analysis': {'root_causes': ['Exploitation of unpatched MOVEit '
'Transfer vulnerability '
'(CVE-2023-34362)']},
'references': [{'date_accessed': '2024-01-30',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['California Consumer '
'Privacy Act (CCPA)',
'Health Insurance '
'Portability and '
'Accountability Act '
'(HIPAA)'],
'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': {'public_disclosure': True,
'regulatory_notification': 'California '
'Office of '
'the '
'Attorney '
'General'}},
'title': 'Data Breach at Medical Eye Services, Inc. via MOVEit Server',
'type': 'Data Breach',
'vulnerability_exploited': 'MOVEit Transfer Zero-Day (CVE-2023-34362)'}