Cyber Incident Victim: St. Luke's Health System
Date:
Jun 2022
Location:
United States of America
Summary
St. Luke’s Health System experienced a data breach involving a third-party vendor responsible for statement processing and billing services, potentially compromising protected health and financial information of patients. The incident exposed guarantor and patient details—including names, addresses, partial Social Security numbers, service descriptions, and billing information—though no misuse has been confirmed. The health system suspended vendor activities, initiated an investigation with external forensics and law enforcement, and offered affected individuals complimentary identity theft protection, credit monitoring, dark web surveillance, and insurance coverage. A dedicated call center was established to assist with enrollment and inquiries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late May 2022, St. Luke’s Health System experienced a cybersecurity incident involving a third-party vendor contracted to provide statement processing and billing services. The vendor notified St. Luke’s in June 2022 that an unauthorized actor had obtained personal information from some patients and members of certain customers during the late May breach. On July 6, 2022, St. Luke’s confirmed that protected health information of patients billed in May 2022 for its services could have been accessed through the vendor’s compromised systems. The compromised data included guarantor details (name, address, phone number, ID number), patient names, dates of birth, last five digits of Social Security numbers, descriptions of medical services received, service dates and locations, provider names, and patient account numbers. Financial exposure involved amounts billed, outstanding balances, payment due dates, and account payment statuses. While the investigation remained ongoing, St. Luke’s expedited notifications to potentially affected individuals via mailed letters, emphasizing no evidence of data misuse had been identified at the time of disclosure.
St. Luke’s suspended all processing activities with the vendor immediately upon learning of the breach and directed its Cybersecurity and Compliance teams to collaborate with the vendor’s investigation. The vendor engaged the FBI and contracted an external forensics firm to analyze the incident while implementing enhanced security measures to prevent recurrence. Affected patients were offered complimentary identity theft protection services, including 12 months of credit monitoring and CyberScan dark web surveillance, a $1,000,000 insurance reimbursement policy, and dedicated call center support for enrollment assistance. A toll-free call center (1-833-423-2976) became operational at 4 p.m. on July 28, 2022, operating Monday through Friday from 7 a.m. to 7 p.m. to address patient inquiries. Senior Vice President Dave Self publicly reaffirmed St. Luke’s commitment to safeguarding patient data and urged recipients of notification letters to utilize the protective services provided.