Ransomware Attack on May Eye Care Center Impacts 30,000 Patients

On July 29, 2018, May Eye Care Center, located in Hanover, PA, was attacked with ransomware. The ransomware was downloaded and executed on a server containing patients’ protected health information (PHI) including names, birth dates, addresses, insurance details, diagnoses, treatment data, clinical data, and Social Security numbers of some patients.

A leading computer forensics firm was contracted to assist with the breach investigation and while recovery took a few days, it was possible to fully restore all files encrypted by the ransomware without data loss. May Eye Center recovered files from backups and did not make any payment to the attackers.

May Eye Center has notified all patients affected by the ransomware attack and the Department of Health and Human Services’ Office for Civil Rights was notified of the breach on October 11. OCR published a breach summary on its Breach Portal indicating 30,000 patients were affected by the ransomware attack.

May Eye Care Center is convinced the only reason for the attack was to demand a ransom payment. There was no evidence found that indicated the attackers accessed any patient’s PHI. Patients have not reported PHI misuse.

To help prevent future security incidents, including ransomware attacks, a data security company was called in to conduct a review of May Eye Care’s security systems. Additional security measures are now being implemented to improve May Eye Care’s security posture.

While data theft is not suspected, all patients whose PHI was stored on the server have been advised to review their credit statements and explanation of benefits statements for fraudulent activity and to obtain and check their credit reports.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/