Cyber Incident Victim: Adelanto HealthCare Ventures

The Adelanto HealthCare Ventures (AHCV) incident began with a phishing attack discovered on November 5, 2021, which compromised two employee email accounts. AHCV, a consulting firm supporting healthcare business associates with claims data, initially assessed that protected health information (PHI) was unaffected by the email system breach. Forensic analysis conducted nearly ten months later, on August 19, 2022, confirmed PHI exposure within the compromised accounts. The investigation revealed emails containing provider names, patient ages, account numbers, admission and discharge dates, insurance carriers, and balance information. No Social Security numbers or financial data were impacted. The delayed discovery of PHI involvement stemmed from the extended forensic review period, though the vendor did not publicly disclose the patient data impacts until March 2023—eight months after confirming PHI exposure and over 18 months after the initial security incident.

At least nine healthcare providers were affected by the AHCV breach, including St. Luke’s Health (which first reported the incident in October 2022) and eight entities reporting impacts in March 2023: Texoma Medical Center, Suncoast Behavioral Health, Coral Shores Behavioral Health, The Vines Hospital, South Texas Health System, Doctors Hospital of Laredo, Fort Duncan Regional Medical Center, and Northwest Texas Healthcare System. The notifications violated HIPAA’s 60-day disclosure requirement, as AHCV issued notices far beyond the mandated timeframe after confirming PHI exposure. No containment or remediation actions by AHCV were detailed in the available reports, though the breach originated solely from the phishing compromise of email accounts. The incident underscored delays in both forensic analysis and regulatory compliance, with no evidence suggesting financial or identity theft-related misuse of the exposed data.