Intermountain Healthcare announced on Friday that a data security event affecting a business associate had made protected health information accessible to unauthorized individuals.
The incident affected four specialty clinics in southern Nevada, said officials from the Salt Lake City-based health system. Neither its facilities in Utah and Idaho nor its systemwide records were affected.
“Intermountain Healthcare deeply regrets that this matter occurred and sincerely apologizes for any inconvenience or concern it may have caused,” said the health system in a press release.
WHY IT MATTERS
The breach occurred via an incident with Intermountain’s business associate, the cancer software vendor Elekta.
In mid-May, said Intermountain, Elekta informed the health system that a server with some data relating to its patients was affected in a security incident. This incident meant that some protected health information stored on the impacted systems had been made accessible to unauthorized people between April 6 and April 20.
“Upon receiving this notification, Intermountain Healthcare immediately worked with Elekta and others to confirm the nature and scope of the data at issue, including whether and how it related to patients of Intermountain Healthcare,” read a statement from Intermountain.
Although Intermountain could not confirm whether bad actors actually viewed or accessed any specific information, Elekta found that the data present on its affected systems included patient names and scanned image files.
Those files could have included medical images and information on medical intake forms, as well as patient Social Security numbers, dates of birth, demographic information, insurance cards and other identification cards.
Financial and payment information was not involved, and Intermountain says there is currently no evidence of misuse.
“Intermountain Healthcare takes this incident and the security of the information in their care very seriously. Elekta migrated Intermountain Healthcare’s data to a new-generation cloud system as part of Elekta’s commitment to safeguarding customer data,” read the company statement.
THE LARGER TREND
Elekta has not yet revealed specifics about the nature or scope of the attack, but the incident – which also took cancer treatments at some hospitals offline earlier this year – exemplifies the ways that health system networks can be left vulnerable via business associates.
In fact, a report published in February 2021 found that almost three-quarters of the number of breaches reported to HHS in the last six months of 2020 were tied to third-party business associates.
ON THE RECORD
“As part of Intermountain’s ongoing commitment to protect the information in our care, Intermountain is working to review our existing policies and procedures as they pertain to third-party vendors and working with Elekta to evaluate additional measures and safeguards to better protect against this type of incident in the future,” said an Intermountain official.