Vendor Breach Event Notice – Adelanto Healthcare Ventures (AHCV)
Fort Duncan Regional Medical Center Media Notice
Laredo, Texas, March 29, 2023 – Fort Duncan Regional Medical Center (“our Organization”) is providing notice of anincident that involved our patients’ protected health information (“PHI”). Letters were mailed to potentially affectedpatients or their parents/guardians on March 29, 2023.
What Happened: Adelanto HealthCare Ventures, L.L.C. (“AHCV”) is a consulting company that works for one of ourbusiness associates and provides transactional advisory support for our Organization. As part of these services, ourbusiness associate may provide AHCV with certain claim information on our patients. On November 5, 2021, AHCVbecame aware of suspicious activity and determined that two AHCV employee email accounts had been accessedwithout authorization as a result of a phishing incident. Initially, AHCV did not believe the incident involved any PHI ofour Organization. On December 21, 2021, AHCV notified one of our former employees that PHI was present in theaffected email accounts and potentially accessible during the incident. It was not until August 19, 2022 that ourbusiness associate learned that certain PHI may have been involved.
Once our business associate learned of the incident, it launched an investigation into the matter and worked withAHCV to gather additional information on the incident to enable our business associate to determine whether therewas a low probability that the PHI was compromised. Unfortunately, our business associate did not receive sufficientinformation to conduct this analysis until December 27, 2022. There is no evidence to date to suggest that the PHIwas copied or misused, but our business associate notified our Organization of the incident on January 28, 2023.Once we received this notice, we worked with our business associate to take the steps needed to provide notificationto individuals.
What Information Was Involved: The emails contained the patient’s full name and some or all of the following:facility name, Medicaid claim ID, Medicaid client ID, care plan name, Medicaid program, gender, date of birth,admission and discharge date, medical and diagnosis information, and mental health comorbidity (if any). Pleasenote the emails did not contain Social Security numbers, credit card numbers or other financial information.
What We are Doing: Our Organization began mailing notification letters on March 29, 2023. We have alsoconfirmed that AHCV is expanding its security measures in light of the incident and assessing additional training andsecurity reminders for its employees. Our business associate has counseled its own employees on the incident andbest practices, and is determining whether additional steps are needed. We also provided other required notices ofthis incident, such as notice to the U.S. Department of Health and Human Services .
What Affected Individuals Can Do: While we are unaware of any actual or attempted misuse of PHI, we areoffering impacted patients with 12 months of internet surveillance and identity restoration services through Experianat no charge. Individuals can refer to their notification letter for enrollment instructions.
More Information: Our Organization is committed to providing quality care, including protecting personal healthinformation, and has policies and procedures in place for protecting and safeguarding patient information. Individualswith additional questions, may call our dedicated assistance line at (800) 910-4035 (toll-free), Monday – Friday, 9:00a.m. to 11:00 p.m. Eastern Time, and Saturday – Sunday, 11:00 a.m. to 8:00 p.m. Eastern Time, excluding holidays.
This line will remain open until July 31, 2023. Please provide engagement number B087604 when calling. If you did not receive a letter, but would like to know if you were affected, please contact our dedicated assistance line.
