The St. Luke’s Health System announced Thursday that personal information of some patients could have been obtained by an unauthorized entity in a data breach of one of its contractors.
St. Luke’s stated in a news release that a business vendor that provides statement processing and billing services recently informed St. Luke’s that it had experienced a “cybersecurity incident” in late May in which an “unauthorized actor” obtained personal information of people in its database.
“On July 6, St. Luke’s learned that protected health information of patients who were billed in May 2022 for St. Luke’s services could have been accessed as part of this vendor’s cybersecurity incident,” St. Luke’s stated. “While the investigation is ongoing, St. Luke’s has expedited the notification process to communicate now with those who may have been impacted.”
St. Luke’s stated that “there is no evidence at this time that the unauthorized actor has misused this information.” People whose information might have been obtained will be personally notified by St. Luke’s through a mailed letter, the organization stated.
Information that may have been compromised includes: the patient’s first and last name, date of birth and last five digits of their Social Security number; a description of services received, date(s) and location of services received; health-care provider name; patient account number; and the guarantor’s name, address, phone number and identification number. Financial information that may have been compromised includes the amount billed for services, any outstanding balance, payment due dates and status of the payment account, St. Luke’s stated.
“St. Luke’s takes its responsibility to safeguard personal and protected health information very seriously,” said Dave Self, senior vice president and chief administrative officer of St. Luke’s. “To best protect our patients, we have suspended all processing activities with this vendor. St. Luke’s cybersecurity and compliance teams are working closely with the vendor on this investigation.”
Self said St. Luke’s is encouraging patients who receive a notification letter in the mail to utilize the free identity-theft protection services being offered to them and to enroll in credit and cybersecurity monitoring.
“The vendor has engaged the FBI and contracted with an external forensics firm to better understand this incident and has implemented improved security measures to prevent a similar incident in the future,” St. Luke’s stated.
St. Luke’s said it has partnered with data-breach experts “to ensure the highest level of protection for patients who may have been impacted by this incident.”
With the experts, St. Luke’s is offering the following complimentary protection services:
- Identity-theft protection services.
- 12 months of credit and CyberScan dark-web monitoring.
- $1,000,000 insurance reimbursement policy.
- Call-center support to answer questions and help those affected enroll in free identity-protection services.
A call center was scheduled to be activated at 4 p.m. Thursday to provide additional information. The number is 1-833-423-2976. The call center will be available Mondays through Fridays from 7 a.m. to 7 p.m. Mountain Standard Time. 
Post a comment as anonymous
Report
Watch this discussion.
(0) comments
Welcome to the discussion.
Log In