Submitted by Dr. Erik Barrett
Owner, Barrett Eye Care
We value and respect the privacy of our patients’ information, which is why, as a precautionary measure, we are writing this notice to let you know about a cyber security incident that occurred at our offices. Barrett Eye Care (“Barrett”), recently discovered that it had been the victim of a cyber security incident that may affect the security of our patients’ personal information. This notice is intended to provide you with information about the incident, steps we are taking in response, and steps our patients may take to guard against identity theft and fraud, should they feel it is appropriate to do so.
What happened?
On June 2, 2024, Barrett experienced a cyber security incident where a threat actor gained unauthorized access to Barrett’s systems, including the data stored on those systems. On June 13, 2024, after a forensic investigation, Barrett determined that the incident allowed the threat actor to view and access certain personal information, while locking Barrett out of their own system. The vast majority of patient information was encrypted, and although the threat actor did have access to a limited set of personal information, there is no evidence, at the time of this letter, that the threat actor had actually taken steps to view, access, exfiltrate, or otherwise acquire the information. The incident was discovered expeditiously, cyber security experts were retained, and proper security measures were conducted to contain the incident.
What information was involved?
The information subject to the incident may have included personal information such as patients’ first name, last name, driver’s license number and address along with health insurance information. Please note that we are providing this notice because our patients’ personal information may have been exposed.
What are we doing?
We take the protection of our patients’ personal information seriously and are taking steps to prevent a similar occurrence. Upon learning of the incident, Barrett took immediate measures to contain and neutralize the vulnerability, secure the IT environment, notify law enforcement, and initiate a forensic investigation to determine the extent of the incident. Barrett has also deployed, and will continue to deploy, additional security procedures to prevent future incidents. Additionally, Barrett has engaged cyber security experts to guide us through the incident, ensuring that we fully comply with our legal obligations and properly mitigate the potential impact of the incident.
Barrett will continue to work with cyber security experts and law enforcement to ensure that this incident is properly addressed, ensure that we remain vigilant in the security of our own operations, and continue to strengthen our internal controls and safeguards to ensure this type of incident does not occur again. Barrett will notify our patients of any significant developments that may further impact the security of their personal information.
What actions our patients can take?
As always, we recommend our patients be on the alert for suspicious activity related to their financial accounts and credit reports. We encourage our patients to regularly monitor their statements and records to ensure there are no transactions or other activities that they did not initiate or authorize. Patients should report any suspicious activity to the appropriate service provider.
We recommend that our patients obtain, and monitor, their credit reports to ensure that fraudulent activity has not occurred. In line with rights pursuant to the federal Fair Credit Reporting Act, patients may obtain a free copy of their credit report from each of the three major credit reporting agencies once every 12 months by visiting annualcreditreport.com, by calling toll free 1 (877) 322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348.
Additionally, our patients can report incidents of suspected identity theft to local law enforcement, the Federal Trade Commission, and the Indiana Attorney General. To file a complaint with the FTC, go to IdentityTheft.gov or call 1-877-ID-THEFT (1 (877) 438-4338). Complaints filed with the FTC will be added to the FTC’s Identity Theft Data Clearinghouse, which is a database made available to law enforcement agencies. Information on how to contact you’re the Indiana Attorney General can be found below:
Attorney General Todd Rokita
Indiana Government Center South – 5th Floor
302 W. Washington St.
Indianapolis, IN 46204
(317) 232-6201
in.gov/attorneygeneral/contact-us
We encourage our patients to take advantage of additional free resources on identity theft. We recommend that patients review the tips provided by the Federal Trade Commission’s Consumer Information website, a valuable resource with some helpful tips on how to protect personal information. Additional information is available at consumer.ftc.gov/topics/privacyidentity-online-security.
For more information, our patients can visit IdentityTheft.gov or call 1-877-ID-THEFT (1-877-438-4338). A copy of Identity Theft – A Recovery Plan, a comprehensive guide from the FTC to help patients guard against and deal with identity theft, can be found on the FTC’s website at consumer.ftc.gov/articles/pdf-0009_identitytheft_a_ recovery_plan.pdf.
Placing a security freeze
Indiana law allows consumers to place a security freeze on their credit reports, free of charge. A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, patients should be aware that placing a security freeze on their credit report may delay, interfere with, or prevent the timely approval of any requests made for new loans, credit mortgages, employment, housing or other services. We recommend that our patients work collaboratively with potential lenders, employers and service providers to ensure that a patient is protecting both their information and the approval status of their applicable request.
In order to place a security freeze on credit reports, a patient must contact all three bureaus. The request can be made to each of the three major consumer reporting agencies: Equifax (equifax.com); Experian (experian.com); and TransUnion (transunion.com) via secure email connection provided by each consumer reporting agency. Additionally, the request to place a security freeze may be in the form of a written request, and sent by regular, certified or overnight mail at the addresses below:
Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348
(888) 298-0045
Experian Security Freeze
P.O. Box 9554
Allen, TX 75013
(888) 397-3742
Trans Union Security Freeze
Fraud Victim Assistance Department
P.O. Box 2000
Chester, PA 19022-2000
(888) 909-8872
The credit reporting agencies have five business days after receiving the request to place a security freeze on the patient’s credit report, so we recommend placing the freeze as soon as the patient possibly can. The credit bureaus must also send written confirmation of the security freeze within 10 business days and provide the patient with a unique personal identification number (PIN) or password, or both, that can be used to authorize the removal or lifting of the security freeze.
Lifting or suspending a security freeze
To temporarily lift or suspend the security freeze in order to allow a specific entity or individual access to a credit report, the patient must call or send a written request to the credit reporting agencies by mail (or through each credit reporting agency’s secure email connection) and include proper identification (name, address, and social security number) and the PIN number or password provided when the security freeze was placed as well as the identities of those entities or individuals that may receive the credit report, or the specific period of time the credit report is made available. The credit reporting agencies have three business days (or 15 minutes if the request is made via secure email connection) after receiving the request to lift the security freeze for those identified entities, or for the specified period of time.
Removing a security freeze
To remove the security freeze, the patient must send a written request to each of the three credit bureaus by mail (or through each credit reporting agency’s secure email connection) and include proper identification (name, address, and social security number) and the PIN number or password provided when the security freeze was placed. The credit bureaus have three business days (or 15 minutes if the request is made via secure email connection) to remove the security after receiving the request.
For more information
We sincerely regret any inconvenience or concern caused by this incident. If patients have further questions or concerns, they can call 1(866) 810-3352 toll-free Monday through Friday from 9 a.m. to 6:30 p.m. (excluding major U.S. holidays).
Our cyber security, as well as the safety and stability of our patients, employees, and vendors, is of the utmost importance to us and we remain committed to protecting personal information. We will continue to monitor the incident and advise our patients of any updates as may be necessary.