An Arizona firm providing administrative services to approximately twelve ophthalmology practices across multiple states is notifying nearly 2.4 million patients of a November hacking incident potentially compromising sensitive information. The breach is one of the latest major hacking incidents reported by HIPAA-regulated business associates, with last year seeing 4 out of 10 hacks involving third-party vendors serving various healthcare organizations. Medical Management Resource Group, operating as American Vision Partners, shares management systems, IT infrastructure, and management with these practices. The incident involved a network server hack, affecting over 2.35 million individuals, with unauthorized activity detected on November 14. Immediate containment steps were taken, including isolating the affected system and engaging external cybersecurity firms, alongside law enforcement notification. By December 6, the company confirmed that the unauthorized party had accessed personal information associated with affected patients, potentially compromising names, contact details, birthdates, medical records, and in some cases, Social Security numbers and insurance information. Affected individuals are advised to monitor their credit reports and account statements closely. MMRG is offering two years of complimentary identity and credit monitoring. The company has yet to provide additional details, including the number of affected ophthalmology practices. Ophthalmology practices under American Vision Partners include those in Arizona, Nevada, Texas, New Mexico, and central California. Dustin Hutchison, VP of Services and CISO at Pondurance, advises healthcare organizations to engage with vendors about security controls and ensure an aggressive vulnerability management program. He stresses the importance of smaller practices ensuring security controls are met prior to vendor selection and understanding shared responsibility for security and compliance.