St. Luke’s Health System, Ltd.

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

St. Luke’s Health System, Ltd., based in Boise, Idaho, experienced a data breach involving Nuance Communications, a vendor that uses software made by Progress Software Corporation for file transfers related to clinical documentation services. The software in question, MOVEit Transfer, had a previously unknown vulnerability that was notified to Nuance by Progress Software on May 31, 2023. This vulnerability allowed an unauthorized third party to access and potentially take information from the MOVEit Transfer software[1].

As a result of this incident, personal health information (PHI) of approximately 4,679 patients of St. Luke’s may have been exposed. Nuance Communications took immediate steps to secure its systems and began an investigation. In August, after completing the investigation, Nuance informed St. Luke’s of the breach and the potential exposure of PHI. Nuance has since mailed letters directly to the impacted individuals to notify them of the breach[1].

St. Luke’s has emphasized that the privacy and safety of their patients are their highest priorities and, as such, they are offering complimentary identity theft protection services through IDX, a ZeroFox Company, to support the impacted individuals. Although there is no indication that any financial or payment information was compromised, nor is there evidence to suggest that the patient information has been misused, St. Luke’s is taking additional steps to support those affected[1].

Impacted individuals who received a letter from Nuance can contact Nuance’s toll-free call center for questions and additional information. St. Luke’s has expressed regret for the incident and any inconvenience it may have caused[1].

Citations:

  1. https://www.stlukesonline.org/blogs/st-lukes/notes-and-announcements/2023/sep/notice-of-vendor-data-breach
  2. https://www.kmvt.com/2022/07/27/st-lukes-suffers-data-breach-affecting-some-patients/
  3. https://www.kbtx.com/2024/01/11/nationwide-healthcare-data-breach-impacting-brazos-valley-patients/
  4. https://www.healthcareitnews.com/news/st-lukes-health-reports-data-beach
  5. https://www.hipaajournal.com/hipaa-violation-cases/
  6. https://boisedev.com/news/2022/07/27/st-lukes-data-breach/
  7. https://www.daytondailynews.com/business/mercy-health-patients-among-giant-data-breach-affecting-89-million-people-company-says/3C6AZ66GOVF2PJ6Z5247U22M5U/
  8. https://www.stlukesonline.org/blogs/st-lukes/notes-and-announcements/2023/apr/patient-privacy-notice
  9. https://www.scmagazine.com/news/healthcare-vendor-reports-breach-from-2021-at-least-9-providers-impacted
  10. https://healthitsecurity.com/news/st-lukes-health-suffers-third-party-data-breach-unrelated-to-commonspirit-attack
  11. https://www.ktvb.com/article/news/local/st-lukes-doctor-explains-aftermath-ammon-bundys-protests-affected-life-protests-baby-cyrus/277-80ec6de1-44df-4d2a-b01f-f5e4a395533c
  12. https://www.hipaajournal.com/st-lukes-health-reports-third-party-data-breach/
  13. https://www.fiercehealthcare.com/health-tech/commonspirit-health-reported-it-security-incident-affecting-facilities-wash-neb-and
  14. https://www.idstrong.com/sentinel/st-lukes-health-data-breach/
  15. https://www.securitymagazine.com/articles/99910-nuance-communications-announces-data-breach-affecting-healthcare
Breach Submission Date Apr 06, 2023
Converted Entity Name St. Luke's Health System, Ltd.
Converted Entity Type Healthcare Provider
State ID
Individuals Affected 15,246
Breach Type Unauthorized Access/Disclosure

Breach Information Location Paper/Films

Business Associate Present Yes