Posted On June 16, 2022 Consumer Privacy & Data Breaches
June 16, 2022 – Recently, Texas Tech University Health Science Center (“TTUHSC”) was informed by a third-party vendor that a breach of the vendor’s IT system leaked TTUHSC patient data. Based on estimates by TTUHSC, the total number of patients affected by the breach exceeds 1.3 million. As a result of the recent data security incident, certain patients’ names, Social Security numbers, addresses, phone numbers, driver’s license numbers, email addresses, dates of birth, medical record numbers, and health insurance information were compromised. On June 7, 2022, Texas Tech University Health Science Center posted notice of the breach on its website and sent data breach notification letters to all patients who were impacted by the recent breach.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the TTUHSC data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Texas Tech University Health Science Center.
Texas Tech University Health Science Center has confirmed the breach and released data breach notification letters to affected patients. It has also posted notice of the incident on its website (see below). Based on this information, it appears that the TTUHSC breach was the result of a data security incident at a third-party vendor TTUHSC relied on for Electronic Health Record management services.
The name of this third-party vendor is Eye Care Leaders. Evidently, on April 19, 2022, Eye Care Leaders notified Texas Tech University Health Science Center that it had experienced a cyberattack. Based on reports from Eye Care Leaders, the company first detected the breach on December 4, 2021, at which point the company launched an investigation into the incident. This investigation confirmed that sensitive patient information was contained in the compromised files.
After learning of the third-party breach, Texas Tech University Health Science Center then reviewed the affected files to determine what information was affected and who it belonged to. While the breached information varies depending on the individual, it may include your name, address, phone number, driver’s license number, email address, gender, date of birth, medical record number, health insurance information, appointment information, social security number, and medical information related to ophthalmology services obtained through Texas Tech University Health Science Center.
Subsequently, Texas Tech University Health Science Center sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Texas Tech University Health Science Center is a public medical school based in Lubbock, Texas. TTUHSC is a separate institution from Texas Tech University; however, both universities are part of the Texas Tech University System. TTUHSC operates five schools, including TTUHSC School of Medicine with campuses in Amarillo, Lubbock and Odessa; TTUHSC School of Nursing with campuses in Abilene, Lubbock and Odessa; TTUHSC School of Health Professions with campuses in Amarillo, Lubbock, Midland and Odessa; Jerry H. Hodge School of Pharmacy with campuses in Abilene, Amarillo, Lubbock and Dallas; and TTUHSC Graduate School of Biomedical Sciences with campuses in Abilene, Amarillo and Lubbock. TTUHSC has approximately 4,600 full-time students and serves patients living in more than 100 counties in western Texas.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the TTUHSC data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by Texas Tech University Health Science Center (the actual notice sent to consumers can be found here):
Texas Tech University Health Sciences Center (TTUHSC) is notifying patients of a potential breach of information held by Eye Care Leaders, Inc. (ECL). ECL is a third-party service provider of an Electronic Medical Records (EMR) system utilized by TTUHSC. The service provider reports that the security incident affecting ECL’s databases and files took place on Dec. 4, 2021. ECL reported that it detected the incident in less than 24 hours, disabled the compromised system, and initiated an investigation.
On April 19, ECL provided TTUHSC final results of a forensics investigation into the security incident, which confirmed that some of the compromised databases and files contained patient records. Although no evidence could be found that such records were exfiltrated or used by unauthorized individuals, the possibility could not be definitively ruled out due to insufficient log files.
ECL’s compromised databases and files may have contained the following information: name, address, phone numbers, driver’s license number, email, gender, date of birth, medical record number, health insurance information, appointment information, social security number, as well as medical information related to ophthalmology services received at TTUHSC.
Meanwhile, the forensics investigation revealed that databases and files compromised as part of the incident did not include credit card or financial information.
TTUHSC has provided access to a toll-free number at 855-891-1998 available Monday through Friday 8 a.m. to 10 p.m. and Saturday through Sunday from 10 a.m. to 7 p.m. (CDT) for patients who may have questions.
TTUHSC has not received any further indication that any patient information has been accessed or used without authorization. However, patients may call any of the three major credit bureaus to request credit information or request a credit file fraud alert.
Patients who receive a notification letter may also utilize a complimentary 12-month membership to Experian’s® IdentityWorksSM, which provides identity theft detection and resolution of identity theft. More information about how to enroll and details of the complimentary service is included in patient notification letters.
TTUHSC will continue to monitor this incident by engaging information technology experts and legal counsel. This incident has also been reported to the U.S. Department of Health and Human Services and state regulators, as applicable.