Doctors of optometry allege harm from 2016 security breach.

Ruling allows lawsuit against NBEO to proceed

A once-dismissed lawsuit by doctors of optometry against the National Board of Examiners in Optometry (NBEO) for its alleged role in a 2016 data breach can proceed after all, a federal appeals court ruled June 12.

Rhonda Hutton, O.D., and other doctors of optometry originally filed separate suits in August and September 2016. Their lawsuit, after their cases were combined, was thrown out by a district court in March 2017 because it ruled their allegations of harm were "speculative" and that the breach could not be traced to NBEO.

However, the 4th Circuit U.S. Court of Appeals disagreed last month with that lower court decision. Not only was injury sufficiently alleged by plaintiffs, the appeals court wrote, the judges also found grounds to conclude the breach could have originated with NBEO:

"The Complaints contain allegations demonstrating that it is both plausible and likely that a breach of the NBEO's database resulted in the fraudulent use of the Plaintiffs' personal information, resulting in their receipt of unsolicited Chase Amazon Visa credit cards."


The appeals court decision means the Hutton lawsuit can go forward. NBEO has denied it is the source of the breach.

Liang case on hold

In a separate suit filed Aug. 14 in the U.S. District Court of Maryland,  Brenda Liang, O.D., and others also sought class action status, alleging that NBEO, or a party within its control, failed to protect sensitive personal information-names, birthdates, Social Security numbers (SSNs), addresses or credit card information-of exam takers and others contained in NBEO's systems. The complaint goes on to claim that NBEO not only failed to provide notice of the breach to victims, but also denied its responsibility for the breach.

Brought forward by nine doctors of optometry and one student affected by the breach, the complaint alleged that NBEO is the only common thread among the parties and provides examples of financial harm suffered by the plaintiffs. The lawsuit seeks damages, restitution, attorneys' fees and injunctive relief.

"The fraud resulting from this data breach is as extensive as any data breach in history, with an alarming percentage of optometrists practicing in the United States having already suffered identity theft and fraud," the Liang complaint stated. "The damage resulting from this breach is extensive and ongoing."

In one case, a plaintiff reported three separate occasions where fraudsters applied for Chase Amazon Visa credit cards using her stolen personal information. Although all three applications were cancelled due to the plaintiff's diligence in freezing her credit, the plaintiff's credit card information was used to charge more than $1,800, a reloadable prepaid Visa was opened in her name and a fraudulent eBay order was placed.

In another case, the plaintiff alleges that she proactively and periodically contacted Chase to inquire about applications filed in her name. When the plaintiff learned of one such fraudulent application filed in her maiden name, she reported the fraud; however, she notes the "hard inquiry" from the fraudulent application still appears months after the fact, damaging her credit. It wasn't until April 2017 that the plaintiff learned of another fraudulent application using her maiden name and parents' address- which the plaintiff claims is the same information used to register with NBEO.

"She provided the Illinois Optometric Association and the American Optometric Association (AOA) with her new name after she was married in 2014, and she had updated her address with those organizations in 2013," the complaint alleges. "She never updated any of her information with NBEO because the board exams were long over and it seemed unnecessary as NBEO is not an active organization like AOA."

Moreover, after these fraudulent applications were filed, the plaintiff claims that she confirmed that NBEO still maintained her prior name and address in its systems.

Other plaintiffs' accounts note the combination of maiden/married names and outdated addresses, financial harm, expenses associated with credit monitoring services, and concern for sensitive personal information being sold on the internet.

It's believed that fraudsters stole personal information to take advantage of an Amazon.com promotion where enrollees for a Chase Amazon Vision credit card would receive $50 in their account. The complaint alleges fraudsters used victims' real information for the application, then linked the card to a false account to collect the money. But, subsequently, the fraud has expanded beyond these Chase Amazon cards and affected victims' other accounts.

The Liang case remains under a Dec. 18 stay order, pending the outcome of the Hutton lawsuit.

AOA advocates for doctors, students throughout

Amid the initial wave of malicious credit line openings circulating Aug. 2, 2016, the AOA immediately conducted its own internal investigation-finding no breach of its database-and began imploring affected parties to hedge against credit or financial damage. As the situation progressed, and it became clear that SSNs were the targeted personal information, then AOA President Andrea P. Thau, O.D., called on NBEO to issue reassurances that such personal data was protected.

Lacking any formal reply, AOA's Board of Trustees took additional action Oct. 8, appealing to other optometric organizations to petition optometric testing organizations over the elimination of SSNs as personal identifiers. Weeks later, NBEO announced it would discontinue use of SSNs in favor of a new 'OE Tracker number system' that addressed "contemporary global concerns about the challenges in protecting personal identifiers within all databases," the NBEO's TestPoints® newsletter stated.

At the time, Dr. Thau called the move a step in the right direction, adding: "[AOA] will continue to press for action, including federal investigation into the breach, to provide peace of mind for our members and colleagues."

In a letter to the U.S. Attorney General's Office, the AOA called for further Department of Justice investigation into the identity thefts in hopes of holding those responsible accountable. In the months since, AOA has relayed information, as it becomes apparent, to help mitigate concerns stemming from the data breach, including hosting a session with the FTC.

"The profession deserves to know as promptly as possible the sources and extent of the breach, and the remedy offered by the compromised party," said AOA Immediate Past President Christopher J. Quinn, O.D. "This has been our message from day one to law enforcement and federal agencies, as well as to any individual or any organization with knowledge of what occurred." 

Affected by the data breach? Click here to read more about protecting your identity from the FTC.

July 9, 2018

comments powered by Disqus