Read the notice from March 2023 →
Read the notice from May 2023 →
March 2023 – Adelanto Healthcare Ventures (AHCV)
South Texas Health System ("our Organization") is providing notice of an incident that involved our patients' protected health information ("PHI"). Letters were mailed to potentially affected patients or their parents/guardians on March 29, 2023.
What Happened
Adelanto HealthCare Ventures, L.L.C. ("AHCV") is a consulting company that works for one of our business associates. As part of these services, our business associate may provide AHCV with certain claim information on our patients. On November 5, 2021, AHCV became aware of suspicious activity and determined that two AHCV employee email accounts had been accessed without authorization as a result of a phishing incident. Initially, AHCV did not believe the incident involved any PHI of our Organization. It was not until August 19, 2022 that our business associate learned that certain PHI may have been involved.
Once our business associate learned of the incident, it launched an investigation into the matter and worked with AHCV to gather additional information on the incident to enable our business associate to determine whether there was a low probability that the PHI was compromised. Unfortunately, our business associate did not receive sufficient information to conduct this analysis until December 27, 2022. There is no evidence to date to suggest that the PHI was copied or misused, but our business associate notified our Organization of the incident on January 28, 2023. Once we received this notice, we worked with our business associate to take the steps needed to provide notification to individuals.
What Information Was Involved
The emails contained the patient's full name and some or all of the following: facility name, age, patient account number, admission and discharge date, insurance carrier, and balance information. Please note the emails did not contain Social Security numbers, credit card numbers or other financial information.
What We Are Doing
Our Organization began mailing notification letters on March 29, 2023. We have also confirmed that AHCV is expanding its security measures in light of the incident and assessing additional training and security reminders for its employees. Our business associate has counseled its own employees on the incident and best practices, and is determining whether additional steps are needed. We also provided other required notices of this incident, such as notice to the U.S. Department of Health and Human Services.
What Affected Individuals Can Do
While we are unaware of any actual or attempted misuse of PHI, we are offering impacted patients with 12 months of Internet surveillance and identity restoration services through Experian at no charge. Individuals can refer to their notification letter for enrollment instructions.
More Information
Our Organization is committed to providing quality care, including protecting personal health information, and has policies and procedures in place for protecting and safeguarding patient information. Individuals with additional questions may call our dedicated assistance line at 800-910-4035 (toll-free), Monday – Friday, 9:00 a.m. to 11:00 p.m. Eastern Time, and Saturday – Sunday, 11:00 a.m. to 8:00 p.m. Eastern Time, excluding holidays. This line will remain open until July 31, 2023. Please provide engagement number B087604 when calling.
If you did not receive a letter, but would like to know if you were affected, please contact our dedicated assistance line.
May 2023
South Texas Health System - Edinburg ("our Facility") is providing notice of an incident through which patients’ protected health information (“PHI”) may have been accessed. Letters were mailed on May 17, 2023 to any potentially affected patient who was associated with a mailing address in our systems.
What Happened
On January 18, 2023, our business associate became aware of suspicious email activity in an authorized user’s email account and determined that, on or about January 9, 2023, this user’s email account had been accessed without authorization as a result of a phishing incident. “Phishing” means that the user was tricked into sharing login information which enabled an unauthorized person to access the email account. Our business associate immediately reset the account credentials and launched an investigation into the nature and scope of the incident. The investigation found that the user’s email account was only accessed through a web browser, and while certain emails may have been accessed by the unauthorized person, there is currently no evidence that suggests any PHI in the emails were the target of the attack or otherwise copied or misused in any way. Nevertheless, an extensive effort was made to match patient information in the emails with available mailing addresses in our system, and our Facility is providing notice of the incident to impacted patients in an abundance of caution and so they can take steps to protect their information if they find it appropriate to do so.
What Information Was Involved
The potentially impacted emails contained the patient’s full name, patient account and/or medical record number, admission and/or discharge date, status of diagnosis and/or discharge, and in some instances, associated billing amounts. Please note the emails did not contain Social Security numbers, credit card numbers or other financial information, and generally did not include any email, phone number, or mailing address.
What We are Doing
Our Facility began mailing notification letters on May 17, 2023. In addition, email security measures are being reviewed and enhanced in light of the incident, as well as additional training and security reminders for relevant staff. While our Facility is unaware of any actual or attempted misuse of PHI, we are offering impacted patients 12 months of identity surveillance and restoration services at no charge.
More Information
Our Facility is committed to providing quality care, including protecting PHI. Individuals with additional questions may call our dedicated assistance line at 800-984-9630 (toll-free), Monday – Friday, 9:00 a.m. to 11:00 p.m. Eastern Time, and Saturday – Sunday, 11:00 a.m. to 8:00 p.m. Eastern Time, excluding holidays. This line will remain open until August 31, 2023.
If you did not receive a letter, but would like to know if you were affected, please contact our dedicated assistance line.