Health Care & Insurance  June 24, 2024

Class-action lawsuits target eye-care company after data breach

FORT COLLINS — At least three class-action lawsuits have been filed against Fort Collins-based Panorama Eye Care LLC, alleging that its failure to notify patients of a major data breach more than a year after its discovery caused their personal financial and medical data to be compromised.

Theresa Otero and Sarah Jones sued in U.S. District Court for Colorado in Denver, while Kathy Tormaschy sued in Larimer County District Court.

More than 377,000 current and former patients and employees had their health-care and other personal information  — including Social Security numbers, dates of birth, license numbers, financial account information, dates of service and medical provider names  — stolen by hackers during a 2023 cyberattack on Panorama, according to media reports from the time.

The company supports eye clinics including Eye Center of Northern Colorado as well as Panorama Lasik, Windsor Eye Care & Vision Center, Boulder Eye Surgeons, Denver Eye Surgeons, Cheyenne Eye Clinic & Surgery Center, Evergreen Vision Clinic, Haas Vision Center, 2020 Vision Center and Arvada Vision & Eye Clinic. A call center representative fielding questions about the data breach said all Panorama’s clinics were affected.

The company employs more than 500 people and generates approximately $73 million in annual revenue.

The attorneys for Otero, Jones and Tormaschy did not return calls for comment before BizWest’s afternoon deadline, and officials of Panorama could not be reached.

Panorama said it first discovered the attack on June 3, 2023, and found that hackers had access to its network as far back as May 22, 2023. The company claimed its investigation into the incident concluded nearly a year later, on May 9, and sent out letters to affected patients on June 5, providing them with a list of what information belonging to them was compromised.

However, last July, the now-defunct LockBit ransomware gang had claimed that it stole 798 gigabits of data from Panorama.  Panorama did not mention LockBit in its letters sent to patients or in a breach notice sent to the state attorney general’s office in Maine.

“Panorama has no evidence that any of the compromised information has been misused for identity theft,” the company stated, but added that “Panorama reminds its employees and patients to remain vigilant in reviewing financial account statements on a regular basis for any fraudulent activity. Panorama also recommends that its patients review the explanation of benefits statements that they receive from their health insurance providers and follow up on any items not recognized.”

The young daughter of Otero, a resident of Fort Lupton, had received care at Panorama. In the complaint filed for Otero by attorney Kathryn “Kate” L. Stimson of the Stimpson LaBranche Hubbard LLC law firm in Denver, Otero claims that “the data breach occurred because Panorama failed to implement reasonable security protections to safeguard its information systems and databases. Thereafter, Panorama failed to timely determine that the unauthorized cybercriminals accessed files containing the private information of plaintiff and class members until May 9, 2024, nearly one year after the data breach. Moreover, before the data breach occurred, Panorama failed to inform the public that its data security practices were deficient and inadequate. Had plaintiff and class members been made aware of this fact, they would have never provided such information to Panorama.”

As a result, the complaint continued, Otero and others affected lost:

  • Value of their private information.
  • Out-of-pocket expenses associated with the prevention, detection and recovery from identity theft, tax fraud, and/or unauthorized use of their private Information.
  • Opportunity costs associated with attempting to mitigate the actual consequences of the data breach, including loss of time needed to take appropriate measures to avoid unauthorized and fraudulent charges.
  • Time needed to investigate, correct and resolve unauthorized access to their accounts.
  • Time needed to deal with spam messages and emails received subsequent to the data breach.
  • Charges and fees associated with fraudulent charges on their accounts.
  • Continued and increased risk of compromise to their private Information, “which remains in Panorama’s possession and is subject to further unauthorized disclosures so long as Panorama fails to undertake appropriate and adequate measures to protect their Private Information.”

In Otero’s complaint, Stimson notes that “the most sought after and expensive information on the dark web are stolen medical records, which command prices from $250 to $1,000 each. Medical records are considered the most valuable because, unlike credit cards, which can easily be canceled, and Social Security numbers, which can be changed, medical records contain a treasure trove of unalterable data points, such as a patient’s medical and behavioral health history and demographics, as well as their health insurance and contact information. With this bounty of ill-gotten information, cybercriminals can steal victims’ public and insurance benefits and bill medical charges to victims’ accounts. Cybercriminals can also change the victims’ medical records, which can lead to misdiagnosis or mistreatment when the victims seek medical treatment. Victims of medical identity theft could even face prosecution for drug offenses when cybercriminals use their stolen information to purchase prescriptions for sale in the drug trade.”

The lawsuit seeks a jury trial, certification of Otero’s complaint as a class-action lawsuit, and injunctive relief against Panorama as well as damages to be determined at trial.

Stimson also represented Kathy Tormaschy of Loveland, whose similar class-action lawsuit was filed in Larimer District Court.

Jones, whose city of residence was unspecified in her complaint and who underwent eye surgery at Panorama, is represented by Jeff Ostrow of the Kopelowitz Ostrow law firm in Fort Lauderdale, Florida. 

Her complaint notes that Panorama offered credit-monitoring services to those patients whose Social Security numbers were involved in the data breach, but adds that such action “does not adequately address the lifelong harm that victims will face following the data breach,” and that “the risk of identity theft and unauthorized use of plaintiff’s and class members’ private information is still substantially high. The fraudulent activity resulting from the data breach may not come to light for years.”

The cases are Otero v. Panorama Eye Care LLC, case number 24-cv-01694-PAB, and Jones v. Panorama Eye Care LLC,  case number 24-cv-01737-DDD-NRN, in U.S. District Court for the State of Colorado; and Kathy Tormaschy v. Panorama Eye Care LLC, case number 2024 CV 030509 in Larimer County District Court.

At least three class-action lawsuits have been filed against Fort Collins-based Panorama Eye Care LLC, alleging that its failure to notify patients of a major data breach more than a year after its discovery caused their personal financial and medical data to be compromised.

Dallas Heltzell
With BizWest since 2012 and in Colorado since 1979, Dallas worked at the Longmont Times-Call, Colorado Springs Gazette, Denver Post and Public News Service. A Missouri native and Mizzou School of Journalism grad, Dallas started as a sports writer and outdoor columnist at the St. Charles (Mo.) Banner-News, then went to the St. Louis Post-Dispatch before fleeing the heat and humidity for the Rockies. He especially loves covering our mountain communities.
Sign up for BizWest Daily Alerts