St. Luke’s Health system notified its patients about the exposure of protected data, including Social Security numbers and diagnosis codes.
St. Luke’s Health, a Texas-based system of 16 hospitals, learned that its consultant Adelanto Healthcare Ventures (AHCV), had email accounts for two of its employees compromised by an unknown third party on November 5, 2021.
The initial investigation by AHCV indicated that no protected information of St. Luke’s Health patients had been exposed. However, after further review, AHCV determined that the compromised email accounts contained St. Luke’s Health protected health information and notified St. Luke’s Health of its new findings on September 1, 2022
This data included all or some of the following elements: names, addresses, dates of birth, Social Security numbers, dates of service, medical record numbers, Medicaid numbers, and some limited clinical information in the form of treatment or diagnosis codes.
AHCV found no indication the data had been misused, according to October 28 announcement.
St. Luke’s Health says there is no evidence that the attack is related to any other cybersecurity event currently impacting CommonSpirit Health, its parent company.
Healthcare facilities are increasingly targeted by cybercriminals. A recent survey by Sophos, the UK-based security software and hardware company, found that 66% of healthcare organizations were hit by ransomware last year, up from 34% in 2020.