The California Office of the Attorney General disclosed a data breach affecting Retinal Consultants Medical Group, Inc. (operating as Vitreo-Retinal Medical Group, Inc.) in August 2013. The incident was detected on June 7, 2013, when a laptop containing unencrypted protected health information (PHI) was stolen. The compromised data included sensitive patient details such as names, dates of birth, gender, race, and optical coherence tomography (OCT) images a specialized medical imaging technique used in retinal diagnostics. While the exact number of affected individuals remains undisclosed (marked as 'UNKN'), the breach exposed personally identifiable and health-related information, posing risks of identity theft, medical fraud, or unauthorized use of patient data. The lack of encryption on the device exacerbated the vulnerability, highlighting gaps in data security protocols for handling PHI. As a healthcare provider, the group’s failure to safeguard this information violated patient trust and potentially contravened regulatory requirements like HIPAA (Health Insurance Portability and Accountability Act).
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-42390
TPRM report: https://www.rankiteo.com/company/vitreo-retinal-surgery
"id": "vit230082125",
"linkid": "vitreo-retinal-surgery",
"type": "Breach",
"date": "6/2013",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'UNKN (not specified)',
'industry': 'Healthcare',
'location': 'California, USA',
'name': 'Vitreo-Retinal Medical Group, Inc. (dba '
'Retinal Consultants Medical Group, Inc.)',
'type': 'Healthcare Provider'}],
'attack_vector': 'Physical Theft',
'data_breach': {'data_encryption': 'No (unsecured)',
'file_types_exposed': ['Medical Images', 'Textual PHI'],
'number_of_records_exposed': 'UNKN (not specified)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PHI)',
'type_of_data_compromised': ['Protected Health Information '
'(PHI)',
'Names',
'Dates of Birth',
'Gender',
'Race',
'Optical Coherence Tomography '
'Images']},
'date_detected': '2013-06-07',
'date_publicly_disclosed': '2013-08-02',
'description': 'The California Office of the Attorney General reported a data '
'breach involving Vitreo-Retinal Medical Group, Inc., dba '
'Retinal Consultants Medical Group, Inc. The breach involved '
'the theft of a laptop containing unsecured protected health '
'information (PHI) such as names, dates of birth, gender, '
'race, and optical coherence tomography images.',
'impact': {'data_compromised': True,
'identity_theft_risk': 'High (PHI exposed)',
'systems_affected': ['Laptop']},
'initial_access_broker': {'entry_point': 'Physical Theft of Laptop',
'high_value_targets': ['PHI Data']},
'post_incident_analysis': {'root_causes': ['Unsecured PHI stored on a '
'portable device (laptop)']},
'references': [{'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA Violation '
'(unsecured PHI)'],
'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'title': 'Data Breach at Retinal Consultants Medical Group, Inc. '
'(Vitreo-Retinal Medical Group, Inc.)',
'type': 'Data Breach (Theft of Physical Device)',
'vulnerability_exploited': 'Unsecured PHI on Laptop'}