Guidehouse Reports Breach Affecting Multiple Healthcare Provider Clients

Ventura, CA-based Community Memorial Health System, Ithaca, NY-based Cayuga Medical Center, and Allentown, PA-based Lehigh Valley Health Network have been affected by a cyberattack at a vendor used by one a business associate.

The three healthcare providers used Guidehouse for medical billing and collection services. On January 20, 2021, hackers gained access to the Accellion File Transfer Appliance (FTA) used by Guidehouse for transferring files to clients. For patients of Community Memorial Health System the files included sensitive patient information such as names, dates of birth, member ID addresses, and certain medical information. For Cayuga Medical Center patients, names, dates of birth, insurance account numbers, and certain medical information were potentially compromised. For Lehigh Valley Health Network, the potentially compromised data include names, medical record numbers, account numbers, dates of service, diagnosis and procedure names, billing or payer information and provider names.

Guidehouse was notified about the cyberattack by Accellion in March 2021 and immediately stopped using the FTA service.  Leading cybersecurity experts were engaged to assist with the investigation and breach response, and affected customers were notified about the breach on May 21, 2021.

Guidehouse sent breach notification letters to affected individuals on July 16, 2021. The delay in issuing notifications was due to the time it took to identify the individuals affected and to confirm contact details.

While certain data were obtained by the hackers in the attack, Guidehouse said it is unaware of any cases of misuse of the stolen data. However, as a precaution against identity theft and fraud, affected individuals have been offered a complimentary membership to the Experian IdentityWorks credit monitoring service for 24 months.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is unclear how many patients of the three healthcare providers have been affected.

Several other healthcare organizations in the United States have been affected by the Accellion FTA cyberattack, including Kroger Pharmacy, Trillium Health Plan, Health Net, Trinity Health, Arizona Complete Health, Centene Corp, and Stanford Medicine.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.