July 2, 2021
St. Vincent’s Services, Inc. d/b/a HeartShare St. Vincent’s Services (“HeartShare”) recently learned of a cybersecurity incident of Postlethwaite & Netterville APAC (“P&N”), an accounting firm that provides services to BKD, LLP (“BKD”), which is an accounting firm that formerly worked with HeartShare.
At or around May 5, 2021, HeartShare was informed that two of its data files, used by P&N as part of its standard audit practices, were involved in a cybersecurity incident. HeartShare was informed that in late March of 2021, P&N detected suspicious activity on the dark web related to data stored by P&N. P&N immediately commenced an investigation to determine the nature and scope of the incident, and concluded that certain P&N data may have been impacted by a data security incident affecting Accellion, Inc. Accellion’s application was used by P&N for third-party secure file transfers.
In mid- to late-April of 2021, P&N identified information related to HeartShare on the dark web that had been provided to P&N by BKD as part of its standard audit practices. While the investigation is ongoing, P&N has determined that certain HeartShare data was impacted and potentially accessed by an unauthorized third party. And, in the avoidance of any doubt, we would like to clarify that this incident did not directly involve any of HeartShare’s systems, and is limited to the HeartShare data files P&N used as part of its standard audit practices in working with BKD.
HeartShare subsequently conducted a thorough review of the data impacted by the incident, and requested P&N provide a copy of HeartShare files impacted by the incident so the content could be verified. Based on HeartShare’s review of the database later provided by P&N, HeartShare discovered that categories of personal information varied for each affected individual and may have included demographic information (first and last name and address), medical ID, Medicaid ID, and references to medical information (such as information about the individual’s provider and/or appointment scheduling information). HeartShare’s investigation confirmed that no credit card information, bank account information or Social Security numbers were included in the HeartShare data files impacted by this incident.
Given the data elements involved, we do not believe there are any steps members of our patients need to take to protect their information in connection with this incident. P&N has represented that it will continue to monitor the web for any signs of the stolen data and implement additional safeguards to strengthen the security of its systems. P&N also informed HeartShare that it migrated all data off of the vulnerable Accellion file transfer appliance and contacted law enforcement.
HeartShare takes patient confidentiality very seriously. HeartShare patients who have any questions regarding the incident should not hesitate to contact 1-833-903-3648 for further assistance.
This notice is being provided in accordance with the media notice requirements of the Health Insurance Portability and Accountability Act (HIPAA), as amended by Health Information Technology for Economic and Clinical Health (HITECH) Act. HeartShare has notified impacted individuals and relevant regulatory bodies, including the U.S. Department of Health and Human Services (HHS).