Wolfe Eye Clinic disclosed on Tuesday it had experienced a data breech earlier this year in which the personal information of its customers may have been stolen.
“On February 8, 2021, Wolfe Eye Clinic was the target of a cybersecurity attack that involved an unauthorized third party attempting to gain access to our computer network,” the Marshalltown-based company, which has 20 locations around Iowa — including one in Iowa City and one in Hiawatha — said in a statement posted on its site. “Upon detecting this incident, we moved quickly to secure our network environment and launched a thorough investigation.”
Wolfe did not specify in its statement when it learned of the breech, but did say that because of “the complexity and scale of the cyberattack detected, the full scope of information potentially impacted was not fully realized until May 28, 2021.”
According to the company the “comprehensive forensic investigation into this incident concluded on June 8,” and it determined the customer information accessed during the breech “may include their name, mailing address, date of birth and Social Security number; and … it may also include protected medical and health information.”
In its statement, the company said it takes “the security of all information in our control very seriously.”
“Given this, we are taking steps to prevent a similar event from occurring in the future by implementing additional safeguards and enhanced security measures to better protect the privacy and security of information in our systems. Out of an abundance of caution, we are also notifying all potentially affected individuals and have begun mailing letters to everyone whose information may have been compromised because of this incident.”
Wolfe said it has hired IDX, a software company that specializes in data security, “to provide identity monitoring, at no cost, to affected individuals for twelve (12) months to help relieve concerns and restore confidence following this incident.”
More information about the monitoring program is available through IDX’s site or by calling 833-909-3906.
Earlier this month, hackers shut down Des Moines Area Community College’s computer systems in a ransomware attack. DMACC had to cancel classes for two and a half weeks while it attempted to remove all hackers’ malicious software from its system. Appearing on Iowa Press last weekend, DMACC President Rob Denson said it did not appear any accounts had been compromised in the attack, and the college did not pay the ransom demanded. Denson said DMACC’s insurance company “is talking with the threat actor” who claimed responsibility for the attack, but the college isn’t a party to those talks.
In August 2019, Hy-Vee disclosed it had a months-long data breech in 2018 and 2019, during which hackers accessed the credit and debit card information from millions of customer transactions at its fuel pumps, drive-thru coffee shops, and restaurants (Market Grilles, Market Grille Expresses and its Wahlburgers locations). Information from that breech was later discovered for sale online.
In October 2019, a class action lawsuit was filed against Hy-Vee alleging the theft of customer information was “the inevitable result of Hy-Vee’s inadequate data security measures and cavalier approach to data security.” Hy-Vee settled the case in January of this year, before beginning the discovery phase of the lawsuit, during which the company could have been compelled to produce documents and company officials could have been questioned under oath.
