Adventist Health Tulare has issued a press release about a breach at a business associate in Nebraska.
The June 7 press release states, “A data security incident was recently discovered by Signature Performance, an agency working on behalf of Adventist Health Tulare to collect payment for services.”
Their investigation determined that an unknown party accessed certain files on Signature Performance’s network. “Signature Performance discovered that more than 70,000 patients were affected by this breach. Every case is different for each patient, and each patient will receive a letter from Signature Performance regarding what information is impacted,” they write.
A copy of the full statement can be found on Adventist Health’s website. It is not linked from Adventist Health’s homepage or from Adventist Health Tulare’s home page, and it is not linked from their News section. Given that patients may not recognize the name Signature Performance as a return address on postal mail, Adventist should have a prominently linked notice on its website to make patients aware they may be receiving mail from Signature Performance.
What we don’t know so far
A careful reading of the press release suggests at least two gaps in our understanding of this incident, apart from obvious questions such as how the attacker gained access.
When did Signature Performance first discover the breach of their system?
Adventist Health says that Signature Performance “recently discovered….” What do they mean by “recently?” DataBreaches notes that in February of this year, Signature Performance notified the Maine Attorney General’s Office of a breach that reportedly affected 7,122 people. That breach occurred between January 17 and January 18 and was discovered on January 18, 2024.
Is this the same incident that Adventist Health Tulare is now reporting as recently discovered, or is this a second or new incident at Signature Performance? DataBreaches submitted a contact form inquiry to Signature Performance today to ask if the incident reported by Adventist Health Tulare is the same incident they reported to Maine in February. No reply has been received as yet.
When did Signature Performance first notify Adventist Health of the breach?
Adventist’s press release does not disclose when Signature Performance first notified them of the breach. Signature Performance is sending out the individual notification letters, but when was Adventist first notified? Have they known about this since January or February, or is this really a new incident and they were only very recently notified?