Personal information belonging to some Lehigh Valley Health Network patients was stolen when a widely used third-party file transfer service was hacked earlier this year.
In a paid advertisement that ran in The Morning Call, Guidehouse, a global company that provides business consulting services to LVHN, states that in January hackers broke into Accellion File Transfer Appliance a third-party file transfer service it used for many of its clients. Guidehouse did not find out it was affected by the attack until late March and immediately began an investigation in cooperation with federal law enforcement agencies, the ad states.
After determining LVHN patient information was impacted, Guidehouse notified the health network June 4. The investigation found that hacked patient information may include medical record numbers, account numbers, dates of service, diagnosis and procedure names, billing or payer information and provider names. LVHN’s information technology systems were not compromised as part of the hack.
The ad states Guidehouse stopped using Accellion FTA after it found out about the data breach. It also states Guidehouse is not aware of any misuse of hacked LVHN patient information.
“We regret that this incident occurred and take the security of personal information seriously,” LVHN said in a statement.
LVHN spokesperson Brian Downs said the health network could not provide any other information at this time.
Guidehouse has notified the impacted individuals that it had contact information to offer free identity protection and credit monitoring services for two years, according to the ad.
Accellion FTA, a 20-year-old file transfer service, was the target of attacks in December 2020 and January of this year. Investigators believe UNC2546 and UNC2582 two previously unknown hacker groups with ties to financial crime group FIN11 and the Cl0P ransomware group are responsible for the Accellion FTA hacks, according to tech magazine WIRED.
Guidehouse and LVHN are not the only ones affected by the Accellion FTA hacks. Others affected include the U.S. Department of Health and Human Services, the Reserve Bank of New Zealand, the Australian Securities and Investments Commission, Morgan Stanley, Harvard Business School, Stanford University, Royal Dutch Shell, Kroger and multiple health networks across the country.
Morning Call reporter Leif Greiss can be reached at 610-679-4028 or lgreiss@mcall.com.
