Happening now: A number of hospitals are filing breach notices this week that appear to be linked to a breach at Adelanto HealthCare Ventures (AHCV) in 2021. The hospitals are all owned by Universal Health Services LLC (UHS).
So far, DataBreaches has found McAllen Hospitals, LP d/b/a South Texas Health System, Doctors Hospital of Laredo, Fort Duncan Regional Medical Center, Texoma Medical Center, and Northwest Texas Hospital notices that all appear linked to the AHCV breach. We will not be surprised to find more.
So what happened? It may be a bit difficult to follow the chronology because a business associate is not named, but the security alert on Northwest Texas Health System’s site relates to an incident reportedly first discovered on November 5, 2021 by AHCV, a consulting company that works for the unnamed business associate.
Note that the notice does not disclose when the incident occurred, but only that suspicious activity was first detected by AHCV on November 5, 2021. Notification letters to patients have first been sent on March 29, 2023.
With those dates as bookends, read:
What Happened?
Adelanto HealthCare Ventures, L.L.C. (“AHCV”) is a consulting company that works for one of our business associates. As part of these services, our business associate may provide AHCV with certain claim information on our patients. On November 5, 2021, AHCV became aware of suspicious activity and determined that two AHCV employee email accounts had been accessed without authorization as a result of a phishing incident. Initially, AHCV did not believe the incident involved any PHI of our Organization. It was not until August 19, 2022 that our business associate learned that certain PHI may have been involved.
[So AHCV was aware of suspicious activity on November 5, 2021, but didn’t notify the business associate that PHI may have been involved until August 19, 2022. They do not reveal when AHCV first discovered PHI was involved or why it wasn’t discovered earlier. All we know is that there was more than a nine-month gap to notify the business associate that PHI was involved. But to continue….]
Once our business associate learned of the incident, it launched an investigation into the matter and worked with AHCV to gather additional information on the incident to enable our business associate to determine whether there was a low probability that the PHI was compromised. Unfortunately, our business associate did not receive sufficient information to conduct this analysis until December 27, 2022.
[So AHCV didn’t notify the business associate that PHI was involved until August 19, 2022, and then didn’t give them the information that the business associate needed to conduct its investigation and assessment until another four months passed? What is AHCV’s excuse for not providing that info for four months? But to continue…]
There is no evidence to date to suggest that the PHI was copied or misused, but our business associate notified our Organization of the incident on January 28, 2023. Once we received this notice, we worked with our business associate to take the steps needed to provide notification to individuals.
So once the business associate received the information they needed, they notified the covered entity within a month, and then the covered entity made notifications within 60 days of that. Under HIPAA, it would seem that the business associate and covered entity complied with notification requirements in terms of timeliness.
But did all the entities involved comply with HIPAA and HITECH in terms of security requirements? If it takes nine months to determine that PHI was involved in two email accounts, and if it takes four additional months to give information to the business associate, that suggests some failures somewhere as no explanation has been provided at all to justify the delays in AHCV’s incident response.
Those who are interested can read UHS of Delaware’s full notification template on the Montana Attorney General’s website.
Not all of the hospitals mentioned in this report have filed with HHS or if they have, their reports haven’t been posted yet. Some have appeared on the Texas Attorney General’s site.
A sentence was added after publication to clarify that not all hospitals have shown up on HHS’s breach tool by this time and to add Texoma Medical Center to the list of entities linked to the breach.
Update2: Suncoast Behavioral Health and River Point Behavioral Health (both in Florida) were also impacted; but no numbers revealed as yet.
Update3: This is the same incident reported in October 2022 by St. Luke’s Health in Texas (16,906 patients affected).
Update4: The Vines Hospital in Florida also reports being affected.
Update5: Coral Shores Behavioral Health also reported on this.