Getty Images/iStockphoto
Third-Party Health Data Breach Hits Pennsylvania Health Network
A Pennsylvania health network is the latest victim of a cyber attack which exposed PHI.
Lehigh Valley Health Network (LVHN) is the latest victim of a third-party data breach which resulted in patients’ protected health information (PHI) being compromised.
LVHN, a Pennsylvania-based healthcare system, learned of the third-party data incident on June 4, according to a statement the LVHN media relations department issued to HealthITSecurity.
“Guidehouse, a global provider of professional services, recently learned in late March 2021 that it had been the victim of a cyber-attack,” the statement notes. “The attack occurred in late January 2021 and involved the compromise of a third-party service used for secure file transfer for many clients including Lehigh Valley Health Network (LVHN). Guidehouse provides business consulting services to LVHN.”
LVHN has eight hospitals and several health centers, physician practices, rehabilitation locations, urgent care sites and other outpatient care locations across Pennsylvania, according to its website.
“Based on the nature of the incident, it has taken time to accurately determine what data was impacted,” LVHN states. “After determining LVHN information was impacted, Guidehouse notified the health network on June 4, 2021.”
Investigators determined the breached data may include LVHN patients’ medical record numbers, account number(s), date(s) of service, diagnosis and procedure name, billing/payer information and provider names.
“This incident did not involve any unauthorized access to any systems or files maintained by the LVHN information technology systems,” the healthcare facility stated. “We are not aware of any misuse of the information.”
“We regret that this incident occurred and take the security of personal information seriously,” the LVHN statement notes.
Guidehouse also issued a statement on the data breach to HealthITSecurity through its spokesperson.
“Guidehouse is committed to protecting the confidentiality of our clients’ information,” the statement reads. “Like many other companies, Guidehouse was the victim of the widely reported vulnerability of a third-party file transfer service, Accellion FTA.”
“Guidehouse immediately discontinued use of Accellion FTA, notified law enforcement and has worked with external cybersecurity experts to fully investigate this issue,” the Guidehouse statement notes. “The Accellion FTA service was used for secure file transfer for Guidehouse clients including Lehigh Valley Heath Network.”
As a response to the data breach, Guidehouse is offering identity protection and credit monitoring services for two years to impacted patients.
For more information, individuals with questions and concerns can call (855) 797-1889 and provide engagement code B016329.
Guidehouse also provides services to Community Memorial Health System in California, which was impacted by the third-party data breach. Community Memorial Health System uses Guidehouse’s medical claims billing and collection services.
Guidehouse, on behalf of Community Memorial Health System, reported the data breach to the California Attorney General’s office on July 16.