U.S.Vision Data Breach Affects Sensitive Personal Data

JULY 2, 2024 UPDATE: U.S. Vision has reached a $3,450,000 data breach settlement.

‍

On April 20, 2021, U.S.Vision, Inc., experienced a significant data breach that affected customers of JCPenney Optical. The breach was discovered on May 12, 2021, when U.S.Vision noticed suspicious activity on their network. An investigation revealed that an unauthorized individual had accessed their network intermittently between April 20, 2021, and May 17, 2021. During this period, files containing sensitive consumer information were potentially viewed and/or taken by the unauthorized individual.

The compromised data includes a wide range of personal and medical information:

• First/last name
• Date of birth
• Address
• Telephone number
• Gender
• Vision care and/or treatment information
• Record number
• Dates of service
• Provider name
• Diagnosis code information
• Vision care insurance information
• Payor
• Subscriber/Medicare/Medicaid number
• Billing and claims information

This breach is severe due to the breadth and sensitivity of the information exposed. The unauthorized access was carried out by an individual who managed to infiltrate U.S.Vision's network multiple times over nearly a month.

U.S.Vision's Response

Upon discovering the breach, U.S.Vision immediately launched an investigation with the help of industry-leading cybersecurity specialists. They conducted a comprehensive review of the impacted files to determine the extent of the breach and identify the affected individuals. U.S.Vision has taken steps to improve their security measures to prevent future incidents.