At least ten healthcare providers are reporting data breaches caused by one third-party vendor, Adelanto HealthCare Ventures, LLC (AHCV). Universal Health Services, Inc. (UHS) owns the ten hospitals and behavioral health care clinics that seem to have been affected by the breach so far. The total number of patients is not yet known, but based on UHS’ breach report on the HHS breach portal, the number exceeds 40,000. The number may grow as more providers connected to AHCV come forward.
AHCV is a consulting firm that helps providers maximize Medicaid reimbursements. According to reports, AHVC was a subcontractor to an unnamed third party vendor (and business associate) which had contracts with the providers. Under HIPAA, AHVC is a subcontractor business associate, subject to the same requirements as business associates – to follow HIPAA and maintain the privacy and security of protected health information (PHI) in their care.
What Happened at AHCV
Apparently the hack on AHCV occurred through a phishing attack on two employee email accounts. AHCV first learned of the unauthorized access to the email accounts on November 21, 2021, but at the time they did not believe the hackers had accessed PHI.
Nine months later, on August 19, 2022, it was discovered that PHI may have been involved. AHCV and the business associate began an investigation, and apparently notified one provider, St. Luke’s Health, right away, but notified the nine other affected healthcare providers in late January, 2023. These nine providers began providing the HIPAA-required notices to patients on March 29, 2023.
From the nine providers, the hackers obtained the following types of patient information:
- the patient’s full name, and some or all of the following:
- facility name
- age
- patient account number
- admission and discharge date
- insurance carrier
- balance information
The breach notices emphasize that the hacked emails did not contain Social Security numbers, credit card numbers or other financial information, however at St. Luke’s Health the data involved was broader and included names, dates of birth, addresses, Social Security numbers, dates of service, Medicaid numbers, medical record numbers, and limited clinical information.
AHCV Reported a Breach in September 2022
Another AHCV breach report appeared on the Texas Attorney General data security breach report site, on September 8, 2022. Perhaps this was the St. Luke’s breach.
Although the health care provider and the number of patients affected were not disclosed in that report, the type of information accessed is described and it’s broader, including social security numbers and financial information, along with medical and health insurance information. We don’t know if that report is solely about St. Luke’s or whether it overlaps with the nine breaches reported by healthcare providers since then.
Tracking the Breaches Tied to AHCV
One of the first to publish information about the latest string of AHCV breaches is the news and commentary site, DataBreaches.net, and they’re tracking the multiple Adelanto breach reports as they become public.
Although UHS owns and operates 400 facilities in North America, so far only ten UHS providers in Texas and Florida are known to have been affected by this breach:
Texas:
- St. Luke’s Health – this breach, affecting 16,906 individuals, was reported to HHS on October 30, 2022 – the first AHCV related report
- Northwest Texas Healthcare System
- South Texas Health System
- Texoma Medical Center
- Doctors Hospital of Laredo
- Fort Duncan Regional Medical Center
Florida:
- Coral Shores Behavioral Health
- River Point Behavioral Health
- The Vines Hospital
- Suncoast Behavioral Health
Phishing Attacks on Business Associates Reap Profits for Hackers
As we’ve noted previously, a successful attack on a HIPAA business associate will yield massive amounts of valuable personal medical information because the business associate often has multiple contracts with healthcare providers. The same pattern seems to apply in the AHCV incident.
Follow HIPAA to Reduce Risks
The only way to stay ahead of the hackers is to follow HIPAA: do a Risk Analysis to ensure you have adequate safeguards to keep patient information secure; train employees to recognize and avoid phishing; conduct due diligence on your business associates, or if you are a BA, do the due diligence on your subcontractor business associates; follow a Risk Management plan year round to improve your security.