Recently, Sight Partners Physicians, P.C. announced that it is the latest company affected by what has been a string of data breaches stemming from an incident at Eye Care Leaders. According to Sight Partners, the breach resulted in the full names, addresses, dates of birth, medical information, provider’s names, medical record numbers, and treatment, diagnosis, and prescription information of certain patients being compromised. On June 14, 2022, Sight Partners filed official notice of the breach and sent data breach letters to all affected patients.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Sight Partners Physicians data breach, please see our recent piece on the topic here.
What We Know About the Sight Partners Physicians Data Breach
The Sight Partners data breach is unique among data breaches in that it doesn’t actually involve any compromised computer system within the company. Instead, the breach stems from a data breach at Eye Care Leaders, a third-party vendor that provides Sight Partners with Electronic Health Record management services.
According to the company’s most recent filing, on around April 15, 2022, Sight partners was notified by Eye Care Leaders that the company had experienced a cyberattack. Evidently, Eye Care Leaders first detected the breach on December 4, 2021, at which point the company launched an investigation into the incident. While this investigation was unable to confirm whether an unauthorized party accessed or viewed the files—files containing sensitive patient information were stored on Eye Care Leaders’ servers. According to Sight Partners, the practice’s historical patient data was stored on files in Eye Care Leaders’ possession.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Sight Partners Physicians then reviewed the affected files to determine what information was compromised and which patients were impacted. While the breached information varies depending on the individual, it may include your full name, address, date of birth, medical information, provider’s name, medical record number, and treatment, diagnosis, and prescription information.
On June 14, 2022, Sight Partners Physicians sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Sight Partners Physicians, P.C.
Sight Partners Physicians P.C. is a Lynnwood, Washington-based business that supports ophthalmologists and other eye care doctors in growing and sustaining their practices. Sight Partners assists practitioners in obtaining access to capital, growing their practice sustainably, and creating a more efficient business model. Sight Partners Physicians employs more than 339 people and generates approximately $68 million in annual revenue.
Data Breaches Involving Third-Party Vendors
For those looking to point the finger after a data breach, there are often the usual suspects. For starters, the hacker who carried out the attack is obviously legally responsible for a breach. Of course, locating the hacker, pursuing a claim against them—and then recovering any damages awarded—is a long (and likely pointless) road.
The next most obvious party would be the party whose systems were breached. Under state and federal data breach laws, all organizations have an obligation to protect consumer information in their possession. It doesn’t matter that a business wasn’t in direct communication with a consumer—all that matters is that the business was in possession of their information.
However, in data breaches involving third-party vendors, such as the Sight Partners breach, there is also a third option: the organization that received consumer data. IN this case, that would be Sight Partners.
In the case of the Sight Partners/Eye Care Leaders data breach, there is no indication that Sight Partners’ data security systems were inadequate. However, depending on the outcome of the investigation, Sight Partners may have been negligent in entrusting consumer data to Eye Care Leaders. For example, this may be the case if Sight Partners knew or had reason to believe that Eye Care Leaders’ servers were not secure or that the company had a history of negligently handling consumer data.
Businesses that choose not to implement robust data security systems do so at great risk to consumers' privacy. So too do those businesses who do not do their due diligence when selecting third-party vendors. In either case, pursuing a data breach lawsuit is one way for victims of a data breach to hold companies accountable and encourage them to take their responsibilities seriously.