Notice of Data Breach
Ocuco recently experienced a data incident that involved personal information, including protected health information (“PHI”), for certain individuals associated with various eye care providers that are Ocuco customers. Ocuco is providing notice of this incident, along with background information on the incident and steps that individuals whose data was involved can take.
What Happened?
On April 1, 2025, Ocuco learned that a third party was claiming to have stolen information from its environment via a posting on the unindexed internet (also known as the dark web). Ocuco immediately took steps to secure its virtual environment and launched an investigation to determine if this claim was legitimate by engaging external cybersecurity experts.
Ocuco’s investigation revealed that an unauthorized actor accessed two non-production servers and certain files stored therein between March 28, 2025, and April 1, 2025, and some files were copied from one of those servers between March 30, 2025, and April 1, 2025. Ocuco’s investigation determined this unauthorized access was enabled by a newly discovered vulnerability contained within third-party software Ocuco uses that was not timely disclosed to Ocuco. Ocuco conducted a review of the files to identify individuals whose information may have been involved and worked to obtain addresses and notify them as quickly as possible.
What Information Was Involved?
While the data involved varied by individual, Ocuco’s review determined that it may have included the following: name, address, Social Security number, medical record number, health insurance number, provider name, prescriptions or medications, treatment or diagnosis, lab results, medical history, payment for health services, workers’ compensation claims with medical information, health insurance coverage information, health insurance claim information, financial account number without access information, and driver’s license number.
What is Ocuco Doing?
Ocuco has fully patched the vulnerability. Further, Ocuco has undertaken a general review of its cybersecurity controls and procedures to ensure that the company maintains the highest levels of security for its network, systems, and data. Ocuco continues to evaluate additional steps that may be taken to further enhance the security of its environment.
What You Can Do
While Ocuco has no evidence to suggest that individuals’ information was targeted or has been misused for purposes of fraud or identity theft, Ocuco will be sending letters to individuals whose data was involved in the incident with steps they can take.
Ocuco takes the security of personal information seriously and sincerely regrets that this incident occurred.
For more information, or for any questions or additional information, please call 1-833-397-3848 Monday through Friday, excluding holidays, between 8:00 a.m. and 8:00 p.m. Eastern Time.