Recently, Texas Tech University Health Science Center (“TTUHSC”) confirmed a data breach after Eye Care Leaders, a third-party vendor of TTUHSC, reported a data security incident affecting its computer systems. As a result of the TTUHSC breach, more than 1.3 million patients’ names, Social Security numbers, addresses, phone numbers, driver’s license numbers, email addresses, dates of birth, medical record numbers, and health insurance information were compromised. On June 7, 2022, Texas Tech University Health Science Center sent data breach notification letters to all patients who were impacted by the recent breach.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Texas Tech University Health Science Center data breach, please see our recent piece on the topic here.

More Details on the Texas Tech University Health Science Center Data Breach

Based on the information provided by Texas Tech University Health Science Center, the TTUHSC breach was the result of a data security incident at Eye Care Leaders, a third-party vendor TTUHSC relies on for Electronic Health Record management services.

Evidently, on April 19, 2022, Eye Care Leaders notified Texas Tech University Health Science Center that it had experienced a cyberattack. Evidently, Eye Care Leaders first detected the breach on December 4, 2021, at which point the company secured its systems and launched an investigation into the incident. Eye Care Leaders claims to have contained the incident within 24 hours. However, the company’s investigation into the breach confirmed that sensitive patient information was contained in the compromised files.

After learning of the third-party breach, Texas Tech University Health Science Center engaged in a detailed review of all affected files to determine which patients were impacted and what information was leaked. While the breached information varies depending on the individual, it may include your name, address, phone number, driver’s license number, email address, gender, date of birth, medical record number, health insurance information, appointment information, social security number, and medical information related to ophthalmology services obtained through Texas Tech University Health Science Center.

On June 7, 2022, Texas Tech University Health Science Center began sending out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. TTUHSC also posted notice of the breach on its website.

Texas Tech University Health Science Center is a public medical school based in Lubbock, Texas. TTUHSC is a separate institution from Texas Tech University; however, both universities are part of the Texas Tech University System. TTUHSC operates five schools, including TTUHSC School of Medicine with campuses in Amarillo, Lubbock and Odessa; TTUHSC School of Nursing with campuses in Abilene, Lubbock and Odessa; TTUHSC School of Health Professions with campuses in Amarillo, Lubbock, Midland and Odessa; Jerry H. Hodge School of Pharmacy with campuses in Abilene, Amarillo, Lubbock and Dallas; and TTUHSC Graduate School of Biomedical Sciences with campuses in Abilene, Amarillo and Lubbock. TTUHSC has approximately 4,600 full-time students and serves patients living in more than 100 counties in western Texas.

The Eye Care Leaders Data Breach and Liability in Third-Party Data Breaches

The data breach at Eye Care Leaders is well known at this point. TTUHSC is not the only organization that experienced leaked patient information as a result of the Eye Care Leaders Breach. In fact, after counting the 1.3 million TTUHSC patients, the total number of patients affected by the Eye Care Leaders data breach now exceeds 1.9 million.

HIPAA Journal recently compiled a list of all the practices reporting third-party data breaches as a result of the Eye Care Leader breach, summarized below:

  • Texas Tech University Health Science Center - 1,290.104 patients

  • Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown in West Virginia - 194,035 patients

  • Precision Eye Care in Missouri- 58,462 patients

  • Shoreline Eye Group in Connecticut - 57,047 patients

  • Summit Eye Associates in Tennessee - 53,818 patients

  • AU Health in Georgia - 50,631 patients

  • Finkelstein Eye Associates in Illinois - 48,587 patients

  • Moyes Eye Center, PC in Missouri - 38,000 patients

  • McCoy Vision Center in Alabama - 33,930 patients

  • Frank Eye Center in Kansas - 26,333 patients

  • Lori A. Harkins MD, P.C. dba Harkins Eye Clinic in Nebraska - 23,993 patients

  • Allied Eye Physicians & Surgeons in Ohio - 20,651 patients

  • EvergreenHealth in Washington - 20,533 patients

  • Sylvester Eye Care in Oklahoma - 19,377 patients

  • Arkfeld, Parson, and Goldstein, dba Ilumin in Nebraska - 14,984 patients

  • Associated Ophthalmologists of Kansas City, P.C. in Missouri - 13,461 patients

  • Northern Eye Care Associates in Michigan- 8,000 patients

  • Ad Astra Eye in Arkansas - 3,684 patients

  • Fishman Vision in California - 2,646 patients

  • Burman & Zuckerbrod Ophthalmology Associates, P.C. in Michigan - 1,337 patients

This raises the question, who is liable for a third-party data breach such as the Eye Care Leaders breach. Under United States data breach laws, all organizations in possession of consumer data have an obligation to safeguard the information in their possession. This includes those organizations that directly receive consumers’ information (i.e., TTUHCS) as well as third-party vendors (i.e., Eye Care Leaders).

In the case of the TTUHSC data breach, there is no indication that TTUHSC was negligent in maintaining its own data security systems. However, depending on what evidence comes out in the future, there is a possibility that TTUHSC negligently entrusted consumer data to Eye Care Leaders. For example, this may be the case if TTUHSC had reason to believe that Eye Care Leaders’ servers were not secure or that the company had a history of data security issues. Of course, Eye Care Leaders could also potentially be liable for the breach, provided there is evidence the company was negligent in handling consumer data.

Organizations and their data security systems are the first line of defense against cyberattacks. Those organizations that choose not to maintain robust data security systems do so at great risk to consumers' privacy and should be held accountable for their misplaced priorities.