Posted On October 31, 2022 Consumer Privacy & Data Breaches
On October 28, 2022, several healthcare practice groups filed notice of a data breach with the Attorney General of Montana after the company learned of a third-party data breach at U.S. Vision, Inc., a company that provided administrative services on behalf of the respective practices. Based on the companies’ official filings, the incident resulted in an unauthorized party gaining access to consumers’ full names, Social Security numbers, addresses, dates of birth, protected health information, and health insurance information. After confirming that consumer data was leaked, U.S. Vision began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the U.S. Vision data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from U.S. Vision, Inc.
The available information regarding the U.S. Vision breach comes from several companies’ filings with the Montana Attorney General. More specifically, three entities filed notice with the Montana AG: Nationwide Optometry, P.C., SightCare, Inc., and Nationwide Vision Center, LLC. In large part, the companies’ letters are identical and are based on the relationship between the filing entity and U.S. Vision.
Apparently, Nationwide Optical Group, LLC acquired or became affiliated with several practices in 2019. Prior to this, the acquired practices were affiliated with U.S. Vision. However, even after the acquisition, Nationwide Optical Group continued to use U.S. Vision’s administrative services for the newly acquired practice groups. Evidently, Nationwide Optometry, P.C., SightCare, Inc., and Nationwide Vision Center, LLC were three of the acquired or affiliated practices.
The filing companies explain that on May 12, 2021, U.S. Vision became aware of suspicious activity within its computer network. In response, the company secured its systems and worked with a third-party cybersecurity firm to investigate the incident.
The investigation revealed that an unauthorized party gained access to U.S. Vision systems between April 20, 2021 and May 17, 2021, and that sensitive patient and employee information was compromised as a result.
At this point, Nationwide Optometry, SightCare, and Nationwide Vision Center sought additional information about which parties’ data was leaked. However, at the time, U.S. Vision was unable to confirm who was affected. However, on September 22, 2022, U.S. Vision finished its investigation into the incident, confirming which parties were affected, and passed this information on to Nationwide Optometry, SightCare, and Nationwide Vision Center.
While the breached information varies depending on the individual, it may include your full name, date of birth, and address, Social Security number, taxpayer identification number, driver’s license number, financial account information, medical information, treatment information (such as medical record number, dates of service, provider name, diagnosis or symptom information, and prescription/medication), health insurance, and billing and claims information.
On October 28, 2022, Nationwide Optometry, SightCare, and Nationwide Vision Center sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Founded in 1885 as Wall & Ochs, U.S. Vision, Inc. is now a chain of optical centers and doctor practices with locations across the United States. U.S. Vision has a number of retail partners where its stores are located, including JCPenney, Meijer Optical, Boscov’s Optical, Optical Center, and 2020 Vision Centers. U.S. Vision employs more than 2,700 people and generates approximately $300 million in annual revenue.
After a data breach, the organization responsible for leaking consumer information may be liable through a data breach lawsuit. However, just because a breach occurred and your information was compromised doesn’t necessarily mean that the company you trusted with your information is financially responsible to you for any harm, such as identity theft. As a general rule, it is only when a company’s negligence was a contributing factor leading up to the breach that it is legally liable for a victim’s damages.
While all data breach lawsuits are complex, third-party data breaches are especially so. The term third-party data breach describes an incident where the company that was targeted in the cyberattack is not the same organization that was initially entrusted with the leaked information.
Determining which company is liable for the data breach can be challenging, and consumers whose information was leaked may not know where to look for answers. However, generally speaking, any company that maintains, stores, transmits or receives consumer data has a legal obligation to the consumer—regardless of whether the company that was breached received the information directly from a consumer. In fact, for the most part, it does not matter how a company comes into possession of consumer data. Instead, the question is whether the company that was hacked or otherwise leaked the information was negligent.
In the case of the U.S. Vision data breach, it would appear that the reporting entities, Nationwide Optometry, SightCare, and Nationwide Vision Center, did not experience a breach and, therefore, are not likely responsible for consumers’ information being compromised. However, because these companies trusted U.S. Vision with your information, it resulted in U.S. Vision accepting a duty to protect your information. Thus, in third party data breaches such as this one, it is the breached entity that is most often liable to consumers.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the U.S. Vision data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by those practices impacted by the U.S. Vision, Inc. data breach (the actual notice sent to consumers can be found here):
Dear [Redacted],
We are writing to inform you of a data security incident that occurred at USV Optical, Inc., a subsidiary of U.S. Vision, Inc. (“U.S. Vision”) and may have affected your personal information. Nationwide Optical Group, LLC acquired or became affiliated with several entities from U.S. Vision in September 2019, including [Redacted]. Following this, U.S. Vision continued to provide us with some administrative services as a business associate to us. The records reviewed by U.S. Vision indicates that you may have received services from [Redacted] at some point in the past.
What happened?
U.S Vision has represented to us that on May 12, 2021, U.S. Vision became aware of suspicious activity involving its computer network. U.S. Vision launched an investigation into the nature and scope of the incident with the assistance of cybersecurity specialists. Through its investigation, U.S. Vision learned that an unauthorized individual accessed its network intermittently between April 20, 2021 and May 17, 2021, and that files containing your information may have been viewed and/or taken by the unauthorized individual.
U.S. Vision informed us of this incident on May 12, 2021, but was unable to identify which entities or patients were affected by this incident. We immediately began communications with U.S. Vision to obtain more information regarding this incident and determine whether any of our patients were affected. We also insisted that U.S. Vision institute dark web monitoring for any potential [Redacted] data that could have been involved in this incident. U.S. Vision did not report any instances of actual or attempted misuse of [Redacted] information through its dark web monitoring.
In addition, U.S. Vision has represented that, with third-party support, it conducted a comprehensive review of the impacted files to determine what information was affected and to whom the information related. On September 22, 2022, we received confirmation from U.S. Vision that your personal information was involved in this incident. We then conducted additional data enrichment and validation to further confirm impacted individuals and their mailing addresses, and the entities with which such individuals were associated. This review was completed on October 17, 2022.
What information may have been involved?
Personal information involved in this incident may have included one or more of the following elements: (1) identifying information (such as full name, date of birth, and address); (2) Social Security number, taxpayer identification number, driver’s license number, and/or financial account information; (3) medical and/or treatment information (such as medical record number, dates of service, provider name, diagnosis or symptom information, and prescription/medication); (4) health insurance information (such as payor and subscriber/Medicare/Medicaid number); and (5) billing and claims information. Please note that not all data elements were present for all individuals. [Redacted]
What we are doing.
U.S. Vision has stated that upon discovering the incident, it moved quickly to investigate and respond, assess the security of relevant U.S. Vision systems, and identify any impacted data. As part of its ongoing commitment to the security of information, U.S. Vision has stated that it is evaluating opportunities to improve security and to better prevent future events of this kind. We take privacy and security very seriously. This incident did not impact our systems or files—it occurred at and impacted only U.S. Vision systems and files. We have and continue to enhance our security controls and monitor our systems to ensure no similar activity occurs on our systems.
We have arranged to offer you credit monitoring and identity restoration services for a period of [Redacted] months, at no cost to you. You have until January 28, 2023 to activate these services, and instructions on how to activate these services are included in the enclosed Reference Guide.
What you can do.
In addition to enrolling in complimentary credit monitoring and identity restoration services, the enclosed Reference Guide includes additional information on general steps you can take to monitor and protect your personal information. We encourage you to carefully review credit reports and statements sent from providers as well as your insurance company to ensure that all account activity is valid. Any questionable charges should be promptly reported to the company with which the account is maintained.
For more information
If you have any questions about this matter or would like additional information, please refer to the enclosed Reference Guide, visit [Redacted], or call toll-free 1-833-814-1705. This call center is open from 6 AM – 6 PM Pacific Time, Monday through Friday, except holidays.
We sincerely regret that this incident occurred and apologize for any inconvenience this incident may have caused you.
