Vendor Data Breach Impacts At Least 9 Healthcare Organizations
Multiple healthcare organizations have reported breaches tied to Adelanto HealthCare Ventures, a consulting company that suffered a phishing attack in 2021.
Source: Getty Images
By Jill McKeon
- At least nine healthcare organizations recently reported a vendor data breach tied to Adelanto HealthCare Ventures (AHCV), a consulting company that specializes in Medicaid reimbursements.
According to the breach notices, AHCV became aware of suspicious activity in its digital environment on November 5, 2021. Further investigation revealed that an unauthorized party had accessed two employee email accounts via a phishing scam.
AHCV initially believed that no protected health information (PHI) was impacted. However, on August 19, 2022, the company determined that PHI may have been involved. Texas-based St. Luke’s Health notified 16,906 individuals of the AHCV breach back in November 2022.
The following organizations have issued similar breach notices in recent days:
- Texoma Medical Center
- Coral Shores Behavioral Health
- The Vines Hospital
- Northwest Texas Healthcare System
- Suncoast Behavioral Health
- South Texas Health System
- Doctors Hospital of Laredo
- Fort Duncan Regional Medical Center
Multiple organizations noted that their business associate did not receive sufficient information to conduct a breach analysis until December 27, 2022. The business associate began notifying these organizations in late January 2023.
The email accounts largely contained the patient names, facility names, age, patient account numbers, admission and discharge dates, insurance carriers, and balance information.
“Our Organization began mailing notification letters on March 29, 2023. We have also confirmed that AHCV is expanding its security measures in light of the incident and assessing additional training and security reminders for its employees,” Suncoast Behavioral Health stated in its notice.
“Our business associate has counseled its own employees on the incident and best practices, and is determining whether additional steps are needed. We also provided other required notices of this incident, such as notice to the U.S. Department of Health and Human Services.”
This breach is the latest reported vendor data breach to impact a variety of healthcare organizations at once. The majority of the top ten largest healthcare data breaches reported to HHS in 2022 stemmed from third-party vendors, signaling a need for better third-party risk management (TPRM) practices in the industry.
