Cyber Incident Victim: Peak TPA

On December 28, 2020, a ransomware attack compromised participant data held by St. Bernards Total Life Healthcare, Inc. (TLH), a healthcare provider. PeakTPA, a third-party healthcare management services provider responsible for handling TLH’s data, discovered the breach and formally notified TLH of the incident on January 23, 2021. The attack occurred on or around the initial December date, though the specific ransomware variant involved remained unidentified in public disclosures. TLH’s HIPAA Privacy Officer, Daya S. Shipman, confirmed the breach through a media release, acknowledging the unauthorized access to protected health information. The delayed notification timeline—nearly one month between the attack’s occurrence and PeakTPA’s alert to TLH—suggests a period of investigation or containment efforts prior to stakeholder communication.

PeakTPA reported the incident to the U.S. Department of Health and Human Services (HHS) on March 2, 2021, listing the breach as affecting approximately 50,000 individuals. However, the scope of this figure was ambiguous, as PeakTPA did not clarify whether it represented TLH patients exclusively or included individuals from other healthcare entities serviced by the company. DataBreaches.net sought clarification from PeakTPA regarding the patient count’s applicability and the ransomware strain involved but received no response prior to the article’s publication. The breach exposed sensitive participant data managed by TLH, though specific details about the compromised data categories—such as medical records, insurance details, or identifiers—were not disclosed publicly. The incident underscored risks associated with third-party vendor dependencies in healthcare data management, particularly regarding ransomware threats targeting administrative service providers. No additional mitigation actions or containment measures by either TLH or PeakTPA were detailed in the available reporting.