Cyber Incident Victim: St. Luke's Health System

On November 5, 2021, unauthorized individuals gained access to two employee email accounts at Adelanto Healthcare Ventures (AHCV), a consulting vendor serving St. Luke’s Health. The breach was detected by AHCV, prompting an immediate investigation. Initial findings concluded no patient data exposure had occurred. A subsequent review revealed protected health information of St. Luke’s Health patients was present in the compromised email accounts and could have been accessed or exfiltrated. The investigation confirmed the exposed data included names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicaid numbers, dates of service, and limited clinical details such as treatment and diagnosis codes. St. Luke’s Health received formal notification of the breach from AHCV on September 1, 2022, nearly ten months after the initial incident. The breach impacted 16,906 patients whose information resided within the vendor’s email systems at the time of unauthorized access.

St. Luke’s Health issued breach notification letters to affected individuals in November 2022, confirming no evidence of actual misuse of the exposed data had been identified. As a precautionary measure, AHCV offered complimentary identity theft protection and credit monitoring services to impacted patients. This incident occurred while St. Luke’s Health was managing operational disruptions stemming from a separate ransomware attack targeting its parent organization, CommonSpirit Health, which had occurred over a month prior. The ransomware attack against CommonSpirit Health caused widespread system outages, though St. Luke’s Health noted restoration of its MyChart patient portal and electronic medical records access for providers by the time the third-party breach disclosures were made. Business operations across CommonSpirit Health’s network remained partially disrupted due to the ransomware incident, though these recovery efforts were unrelated to the AHCV email compromise.