The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Guidehouse Reports Breach Affecting Multiple Healthcare Provider Clients

Posted By on Aug 4, 2021

Ventura, CA-based Community Memorial Health System, Ithaca, NY-based Cayuga Medical Center, and Allentown, PA-based Lehigh Valley Health Network have been affected by a cyberattack at a vendor used by one a business associate.

The three healthcare providers used Guidehouse for medical billing and collection services. On January 20, 2021, hackers gained access to the Accellion File Transfer Appliance (FTA) used by Guidehouse for transferring files to clients. For patients of Community Memorial Health System the files included sensitive patient information such as names, dates of birth, member ID addresses, and certain medical information. For Cayuga Medical Center patients, names, dates of birth, insurance account numbers, and certain medical information were potentially compromised. For Lehigh Valley Health Network, the potentially compromised data include names, medical record numbers, account numbers, dates of service, diagnosis and procedure names, billing or payer information and provider names.

Guidehouse was notified about the cyberattack by Accellion in March 2021 and immediately stopped using the FTA service.  Leading cybersecurity experts were engaged to assist with the investigation and breach response, and affected customers were notified about the breach on May 21, 2021.

Guidehouse sent breach notification letters to affected individuals on July 16, 2021. The delay in issuing notifications was due to the time it took to identify the individuals affected and to confirm contact details.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

While certain data were obtained by the hackers in the attack, Guidehouse said it is unaware of any cases of misuse of the stolen data. However, as a precaution against identity theft and fraud, affected individuals have been offered a complimentary membership to the Experian IdentityWorks credit monitoring service for 24 months.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is unclear how many patients of the three healthcare providers have been affected.

Several other healthcare organizations in the United States have been affected by the Accellion FTA cyberattack, including Kroger Pharmacy, Trillium Health Plan, Health Net, Trinity Health, Arizona Complete Health, Centene Corp, and Stanford Medicine.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist