St. Luke’s Health reports data breach
St. Luke’s Health became aware that a data breach affecting consultant Adelanto Healthcare Ventures compromised protected health information.
The data breach affected nine Texas-based hospitals and several clinics, laboratories and medical facilities from St. Augustine to Houston was not involved in the massive ransomware attack against parent company CommonSpirit Health.
Don’t know for almost a year
Initially, the third-party consultant’s investigation determined that St. Luke is unaffected, according to an October 28 announcement.
However, further investigation revealed that the email accounts of two company employees, hacked on November 5, 2021, contained St. Luke – includes personally identifiable information, medical record numbers, treatment and diagnostic codes, etc. Adelanto Healthcare Ventures updated the healthcare system with this finding on September 1.
While the healthcare data breach was reported on October 30, according to the U.S. Department of Health and Human Services’ Civil Rights (OCR) list of cases under investigation because In violation of non-guaranteed PHI, the local community had already begun to experience the effects weeks earlier.
Local news KHOU Houston reported on October 5 that some patient appointments have been rescheduled. The store was also told by a nurse, who wished to remain anonymous, that some St. Luke is completely drawn on paper.
To prevent further data exposure, St. Luke’s said in its breach notice that it has taken some systems offline until the issue is resolved.
The health system also said it was notifying affected patients – 16,906 individuals, according to OCR – and offering free identity monitoring.
Hack by numbers
Cyberattacks occur almost daily, resulting in the federal government mandating a zero-trust architecture between agencies.
Some healthcare cyberattacks have historically been the work of criminal gangs, while cyberwarfare is a belated concern across critical areas.
Since the beginning of the year, in the US there have been 194 cases of cyberattacks/IT incidents that compromise email accounts reported to OCR.
The total number of attacks targeting electronic medical records is 41, while 483 cases are under investigation targeting network servers.
Overall, OCR lists 911 PHI data breach cases under investigation so far this year.
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS publication.