In March 2021, an unauthorized actor gained access to a Luxottica partner appointment scheduling application that contained patient data for customers of Luxottica’s vision care brands — particularly EyeMed Vision Care and LensCrafters (both Luxottica subsidiaries). Approximately 70 million individuals’ data was exposed. The breach was disclosed to HHS OCR in November 2021 by EyeMed Vision Care for its portion of the breach. Additionally, LensCrafters filed a separate notification. The exposed data included names, addresses, phone numbers, email addresses, dates of birth, appointment dates, eye care insurance information, health plan membership and ID numbers, diagnostic and treatment information, and Social Security numbers for some individuals. EyeMed is the US’s second-largest managed vision care company. HHS OCR opened investigations into both EyeMed and LensCrafters. EyeMed agreed to pay $2.5 million to the New York Department of Financial Services in 2021 for a separate prior data security incident (a 2020 phishing breach). Luxottica is the world’s largest eyewear company, manufacturing and retailing Ray-Ban, Oakley, LensCrafters, Pearle Vision, Sunglass Hut, and many other brands. The breach affected one of the largest optometry patient databases in the US.