Hospitals Notify Patients About 2021 Phishing Attack on Adelanto HealthCare Ventures
Several hospitals have started notifying patients about a data breach at the consulting company, Adelanto HealthCare Ventures (AHCV). AHCV has offices in Washington D.C., Nashville, Tennessee, and Austin and Laredo in Texas, and provides transactional advisory support and other services. AHCV provided services to an unnamed business associate of the affected hospitals. According to the breach notifications recently issued by the hospitals, their business associate provided AHCV with claim information on their patients to allow AHCV to perform its contracted services.
On November 5, 2021, AHCV determined that the email accounts of two of its employees had been accessed by unauthorized individuals after the employees responded to phishing emails. AHCV launched an investigation into the data breach but initially concluded that the email accounts did not contain any protected health information. On December 21, 2021, AHCV determined that one of the email accounts did contain patient information, which may have been accessed in the attack. It took until August 19, 2022, for AHCV to confirm to its business associate that some protected health information had likely been compromised.
The business associate launched an investigation and worked with AHCV to obtain further information on the PHI involved and the individuals affected but was not provided with sufficient information to conduct its analysis until December 27, 2022. The business associate then informed the hospitals that had been affected on January 28, 2023, then the hospitals started issuing breach notifications two months later at the end of March – 16 months after the breach occurred. The compromised information included the following data elements: Name, facility name, Medicaid claim ID, Medicaid client ID, care plan name, Medicaid program, gender, date of birth, admission and discharge date, medical and diagnosis information, and mental health comorbidity.
AHCV has augmented its security measures and has provided further security awareness training to its employees. There has been no detected misuse of patient data as a result of the incident; however, as a precaution, affected individuals are being offered complimentary credit monitoring and identity theft restoration services for 12 months.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
It is currently unclear exactly how many hospitals/healthcare providers have been affected, and the number of affected individuals is not yet known. The healthcare providers that have confirmed that they have been affected are listed below:
| Healthcare Provider | Individuals Affected |
| UHS of Delaware | 40,290 |
| St. Luke’s Health (TX) | 16,906 |
| Doctors Hospital of Laredo (TX) | 500 (potentially placeholder) |
| McAllen Hospitals dba South Texas Health System (TX) | Unknown |
| Fort Duncan Regional Medical Center (TX) | Unknown |
| Northwest Texas Healthcare System (TX) | Unknown |
| Texoma Medical Center (TX) | Unknown |
| Coral Shores Behavioral Health (FL) | Unknown |
| The Vines Hospital (FL) | Unknown |
| Suncoast Behavioral Health (FL) | Unknown |
| River Point Behavioral Health (FL) | Unknown |
