Lawsuit faults NBEO over data breach

A new lawsuit seeks to implicate the National Board of Examiners in Optometry (NBEO) in an ongoing data breach affecting untold numbers of optometry students and doctors.

Filed Aug. 14 in the U.S. District Court of Maryland, the complaint, which is seeking class-action status, alleges that NBEO, or a party within its control, failed to protect sensitive personal information—names, birthdates, Social Security numbers (SSNs), addresses or credit card information—of exam takers and others contained in NBEO's systems. The complaint goes on to claim that NBEO not only failed to provide notice of the breach to victims, but also denied its responsibility for the breach.

"The profession deserves to know as promptly as possible the sources and extent of the breach, and the remedy offered by the compromised party. This has been our message from day one to law enforcement and federal agencies, as well as to any individual or any organization with knowledge of what occurred."

The lawsuit is very similar to one filed Aug. 30, 2016, against NBEO alleging that it was liable for the data breach. That case was dismissed on March 22, 2017. The court agreed with NBEO's contention that the plaintiffs in the earlier case failed to allege sufficient facts to tie NBEO to the breach and, furthermore, did not allege they had suffered a financial injury.

Brought forward by nine doctors of optometry and one student affected by the breach, the current complaint alleges that NBEO is the only common thread among the parties and provides examples of financial harm suffered by the plaintiffs. The lawsuit seeks damages, restitution, attorneys' fees and injunctive relief.

"The fraud resulting from this data breach is as extensive as any data breach in history, with an alarming percentage of optometrists practicing in the United States having already suffered identity theft and fraud," the current complaint states. "The damage resulting from this breach is extensive and ongoing."

In one case, a plaintiff reported three separate occasions where fraudsters applied for Chase Amazon Visa credit cards using her stolen personal information. Although all three applications were canceled due to the plaintiff's diligence in freezing her credit, the plaintiff's credit card information was used to charge more than $1,800, a reloadable prepaid Visa was opened in her name and a fraudulent eBay order was placed.

In another case, the plaintiff alleges that she proactively and periodically contacted Chase to inquire about applications filed in her name. When the plaintiff learned of one such fraudulent application filed in her maiden name, she reported the fraud; however, she notes the "hard inquiry" from the fraudulent application still appears months after the fact, damaging her credit. It wasn't until April 2017 that the plaintiff learned of another fraudulent application using her maiden name and parents' address—which the plaintiff claims is the same information used to register with NBEO.

"She provided the Illinois Optometric Association and the American Optometric Association (AOA) with her new name after she was married in 2014, and she had updated her address with those organizations in 2013," the complaint alleges. "She never updated any of her information with NBEO because the board exams were long over and it seemed unnecessary as NBEO is not an active organization like AOA."

Moreover, after these fraudulent applications were filed, the plaintiff claims that she confirmed that NBEO still maintained her prior name and address in its systems.

Other plaintiffs' accounts note the combination of maiden/married names and outdated addresses, financial harm, expenses associated with credit monitoring services, and concern for sensitive personal information being sold on the internet.

It's believed that fraudsters stole personal information to take advantage of an Amazon.com promotion where enrollees for a Chase Amazon Vision credit card would receive $50 in their account. The complaint alleges fraudsters used victims' real information for the application, then linked the card to a false account to collect the money. But, subsequently, the fraud has expanded beyond these Chase Amazon cards and affected victims' other accounts.

AOA advocates for doctors, students throughout

Amid the initial wave of malicious credit-line openings circulating Aug. 2, 2016, the AOA immediately conducted its own internal investigation—finding no breach of its database—and began imploring affected parties to hedge against credit or financial damage. As the situation progressed, and it became clear that SSNs were the targeted personal information, then AOA President Andrea P. Thau, O.D., called on NBEO to issue reassurances that such personal data was protected.

Lacking any formal reply, AOA's Board of Trustees took additional action Oct. 8, appealing to other optometric organizations to petition optometric testing organizations over the elimination of SSNs as personal identifiers. Weeks later, NBEO announced it would discontinue use of SSNs in favor of a new 'OE Tracker number system' that addressed "contemporary global concerns about the challenges in protecting personal identifiers within all databases," the NBEO's TestPoints® newsletter stated.

At the time, Dr. Thau called the move a step in the right direction, adding: "[AOA] will continue to press for action, including federal investigation into the breach, to provide peace of mind for our members and colleagues."

In a letter to the U.S. Attorney General's Office, the AOA called for further Department of Justice investigation into the identity thefts in hopes of holding those responsible accountable. In the months since, AOA has relayed information, as it becomes apparent, to help mitigate concerns stemming from the data breach, including hosting a session with the FTC.

"The profession deserves to know as promptly as possible the sources and extent of the breach, and the remedy offered by the compromised party," said AOA President Christopher J. Quinn, O.D. "This has been our message from day one to law enforcement and federal agencies, as well as to any individual or any organization with knowledge of what occurred." 

Affected by the data breach? Read more about protecting your identity from the FTC.