A hack into a third-party vendor’s email reportedly led to the exposure of patient and clinical data, resulting in care delays and clinical workflow disruptions across the health system.
St. Luke’s Health learned that a data breach affecting consultant Adelanto Healthcare Ventures had compromised protected health information. The data breach affecting the Texas-based system of 16 hospitals is unrelated to the massive ransomware attack on its parent company, CommonSpirit Health.
Unaware for nearly a year
Initially, the third-party consultant’s investigation determined that St. Luke’s data was not affected, according to an October 28 announcement.
However, further investigation revealed that email accounts for two of its employees, hacked into on November 5, 2021, did contain St. Luke’s patient information – including personally identifiable information, medical record numbers, treatment and diagnosis codes and more. Adelanto Healthcare Ventures updated the health system on the discovery on September 1.
While the healthcare data breach was reported on October 30, according to the U.S. Department of Health and Human Services Office for Civil Rights list of cases under investigation for breach of unsecured PHI, the local community began to experience the effects weeks before.
KHOU Houston local news reported on October 5 that some patient appointments were being rescheduled. The outlet was also told by one nurse, who wished to remain anonymous, that some of St. Luke’s facilities were fully paper charting.
To prevent further data exposure, St. Luke’s said in its breach announcement that it has taken some systems offline until the incident is resolved.
The health system also said it is notifying affected patients – 16,906 individuals, according to OCR – and offering no-cost identity monitoring.
Hacks by the numbers
Cyberattacks are happening almost every day, which has led to the federal government mandating Zero Trust architecture across agencies.
Some healthcare cyber attacks are historically the work of criminal gangs, while cyberwarfare is a concern of late across critical sectors.
Since the start of the year in the United States, there have been 194 cases of cyber hacking/IT incidents breaching email accounts reported to OCR.
Hacks targeting electronic medical records total 41, while there are 483 cases under investigation targeting network servers.
Overall, OCR lists 911 cases of PHI data breaches under investigation so far this year.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS publication.