Houston-based St. Luke's Health is notifying patients about a third-party data breach at consulting services vendor Adelanto Healthcare Ventures that resulted in the protected health information of 16,906 patients to be compromised. On Sept. 1, the vendor notified St. Luke's that two of its employee email accounts were compromised by an unknown party on Nov. 5, 2021, according to an Oct. 28 breach notification from the health system. The email accounts contained patient information such as names, addresses, dates of birth, Social Security numbers, dates of service, medical record numbers, Medicaid numbers, and limited information about treatment and diagnosis. Adelanto Healthcare Ventures said it has found no indication that the information has been misused, but St. Luke's said it will conduct an additional investigation into the incident. The health system is working to notify affected patients and in some cases will offer free credit monitoring. This event does not impact St. Luke's parent company, Chicago-based CommonSpirit Health, nor is it related to the ongoing ransomware attack affecting CommonSpirit and its affiliates, according to the breach notification.

Seattle Children's is alerting patients about a ransomware attack at a mail service vendor that has compromised the protected health information of 6,750 patients. In June, the mail service vendor, Kaye-Smith, learned that an unauthorized individual had gained access to information in its systems. The breach resulted in unauthorized access to patient information from Seattle Children's, according to a Sept. 22 breach notification shared with Becker's. The information compromised included names, addresses, provider names, medical record numbers, visits, lab information, guarantor numbers and names of insurance carriers. There is no evidence that the information compromised has been misused, according to Seattle Children's. The hospital said it is working with the vendor to evaluate the new safeguards it is putting in place in order to mitigate any further unauthorized access.

Hospitals and health systems are facing significant data security and privacy threats due to the lack of vetting of their third-party vendors, BankInfoSecurity reported Dec. 5. The Department of Health and Human Services' HIPAA breach reporting website showed that half of the 10 largest healthcare-related data breaches reported this year were caused by vendors or business associates. Security experts said this demonstrates the importance of vetting third-party providers and including cybersecurity standards in contracts and regular audits. "The reason business associate data breaches have skyrocketed is a simple numbers game," said Paul Hales, regulatory attorney of the Hales Law Group. "Criminals know that one successful business associate attack yields protected health information from hundreds of covered entities. In a sense, business associates are just couriers. Covered entities are the real targets." Since 2018, the attacks on business associates have doubled. Some hospitals and health systems that have reported compromised patient information due to a third-party data breach include Seattle Children's and Houston-based St. Luke's Health.