St. Luke’s Health Reports Third Party Data Breach

By | November 7, 2022

St. Luke’s Health has recently notified 16,906 patients that some of their protected health information has been exposed in a security incident at a vendor that provides consulting services. On November 5, 2021, the email accounts of two employees of Adelanto Healthcare Ventures (AHCV) were accessed by an unauthorized individual.

An investigation was launched into the incident, which initially determined no patient information had been exposed; however, a subsequent review determined the information of certain St. Luke’s Health patients was present in the email accounts and could potentially have been accessed or acquired by the attackers. The exposed information included names, addresses, dates of birth, Social Security numbers, dates of service, medical record numbers, Medicaid numbers, and some limited clinical information, such as treatment and diagnosis codes. St. Luke’s Health was notified about the breach on September 1, 2022

St. Luke’s Health explained in its breach notification letters that no reports have been received that suggest there has been any misuse of patient data; however, as a precaution, AHCV is offering affected individuals complimentary identity theft and credit monitoring services.

St. Luke’s Health is currently recovering from a ransomware attack on its parent company, CommonSpirit Health, that occurred more than a month ago. CommonSpirit Health is still facing disruption to business operations as a result of the attack but has now restored the MyChart patient portal and providers can now access their patients’ electronic medical records.

Tift Regional Health System Investigating Cyberattack and Data Breach

Tift Regional Health System (TRHS) in Tifton, GA, has recently announced that its systems have been compromised and that the attackers potentially accessed and obtained the protected health information of some of its patients. The unauthorized system access occurred on or around August 16, 2022. Prompt action was taken to secure its systems and an investigation was launched to determine the nature and scope of the attack.

TRHS said files on its systems were not encrypted, and its electronic medical record system was not accessed; however, the forensic investigation was unable to rule out unauthorized access and theft of files that contained patient information. The files on the compromised part of the network contained Social Security numbers, patient identification numbers, driver’s license numbers, medical information, treatment information, diagnosis information, health insurance information, and dates of birth.

TRHS said it is reviewing its existing policies and procedures regarding cybersecurity and additional safeguards are being evaluated to protect against this type of incident in the future. The breach has been reported to the HHS’ Office for Civil Rights as affecting 500 individuals. That number is often used as a placeholder until the full extent of the breach is known.

Wenco Management Reports Breach of Health and Welfare Benefit Plan Member Data

The protected health information of 20,526 employees of Wenco Management, LLC, has been exposed and potentially obtained by unauthorized individuals. Wenco Management operates the Wendy’s fast-food chain. Affected employees were members of its Health and Welfare Benefit Plan.

Wenco Management identified the breach on August 21, 2022. After its systems were secured, a forensic investigation was launched to determine the nature and scope of the breach, which confirmed an unauthorized individual had accessed its network and potentially viewed and obtained employee records that included names, Social Security numbers, and plan selection information. The breach occurred on the same day it was identified and blocked. Affected individuals have been offered complimentary credit monitoring services. Wenco Management said it has taken steps to improve the security of its systems to prevent further data breaches in the future.

The post St. Luke’s Health Reports Third Party Data Breach appeared first on HIPAA Journal.