Guidehouse Reports Breach Impacting Several Healthcare Provider Clients

Community Memorial Health System based in Ventura, CA, Cayuga Medical Center based in Ithaca, NY-based, and Lehigh Valley Health Network based in Allentown, PA were impacted by a cyberattack at a vendor, which is a business associate.

The three healthcare companies utilized Guidehouse as a provider of their medical billing and collection services. Hackers accessed the Accellion File Transfer Appliance (FTA) utilized by Guidehouse for sending files to customers on January 20, 2021. For Community Memorial Health System patients, the files contained sensitive patient data like names, birth dates, member ID addresses, and selected medical data. For Cayuga Medical Center patients, the names, birth dates, insurance account numbers, and selected medical data were possibly exposed. For Lehigh Valley Health Network patients, the possibly exposed information includes names, account numbers, medical record numbers, dates of service, diagnosis and treatment procedure names, billing or payer details and names of the provider.

Accellion notified Guidehouse regarding the cyberattack in March 2021 and promptly ceased utilizing the FTA service. Prominent cybersecurity professionals helped with the breach investigation and response. Guidehose notified the affected clients concerning the breach on May 21, 2021.

Guidehouse issued breach notification letters to impacted entities on July 16, 2021. The late sending of notifications was because of the time spent to determine the people impacted and to verify contact information.

Although the hackers obtained some data during the attack, Guidehouse mentioned it is not aware of any incidents of stolen data misuse. Nevertheless, as a safety measure against identity theft and fraud, impacted people will get a free Experian IdentityWorks credit monitoring service membership for two years.

The incident is not yet posted on the HHS’ Office for Civil Rights breach website, therefore the number of affected patients at the three healthcare companies is still uncertain.

A few more healthcare companies in the United States were impacted by the Accellion FTA cyberattack, such as Kroger Pharmacy, Health Net, Trillium Health Plan, Trinity Health, Arizona Complete Health, Stanford Medicine and Centene Corp.