Intermountain Says Patients’ PHI Exposed in Elekta Health Data Breach

July 19, 2021 - Intermountain Healthcare of Southern Nevada is one of the latest victims of the larger Elekta health data breach, which exposed patients’ protected health information (PHI.)  

The Elekta data breach “resulted in certain PHI stored on the impacted systems becoming accessible to unauthorized person(s) between April 6, 2021, and April 20, 2021,” an Intermountain Healthcare press release published on July 16 stated.  

The impacted PHI may have included patients’ names and scanned files. “The scanned image files could have included medical images, and information on medical intake forms,” according to the press release. “The patients may have provided their Social Security number, date of birth, demographic information, insurance card, and other identification cards. Patients' financial account and payment card information was not involved. At this time, there is no evidence or reports that information has been misused.” 

Intermountain received notification in May that “a server with some data relating to Intermountain Healthcare's patients was affected in a data security incident that impacted certain Elekta systems,” the release states.  

Intermountain Healthcare has locations in Utah, Idaho, and Nevada but only the four Nevada clinics were involved.  

The data breach “only impacted four Intermountain Healthcare specialty clinics located in southern Nevada that use Elekta's cloud-based clinical care management system for patient care related purposes,” the press release states.  

“Intermountain's system-wide records were not affected,” it states.  

Intermountain cannot confirm if “any specific information related to the impacted individuals was actually accessed or viewed by an unauthorized person as a result of the Elekta incident. However, Elekta's investigation determined that the data present on their impacted systems at the time of the incident included patient's name and scanned image files. The scanned image files could have included medical images, and information on medical intake forms.” 

“The patients may have provided their Social Security number, date of birth, demographic information, insurance card, and other identification cards,” the announcement continued. “Patients' financial account and payment card information was not involved. At this time, there is no evidence or reports that information has been misused.” 

Currently, Intermountain is notifying all patients affected by the data breach.  

“Intermountain Healthcare takes this incident and the security of the information in their care very seriously,” the press release states.  

“Elekta migrated Intermountain Healthcare's data to a new-generation cloud system as part of Elekta's commitment to safeguarding customer data. As part of Intermountain's ongoing commitment to protect the information in our care, Intermountain is working to review our existing policies and procedures as they pertain to third-party vendors and working with Elekta to evaluate additional measures and safeguards to better protect against this type of incident in the future,” the release states.  

“Intermountain Healthcare deeply regrets that this matter occurred and sincerely apologizes for any inconvenience or concern it may have caused.” 

Elekta’s April 2021 data breach, impacted several US-based healthcare facilities, including: Renown Health in Nevada, Yale New Haven Health, Lifespan, Southcoast Health, and the Cancer Centers of Southwest Oklahoma.  

Elekta said in an earlier statement that its “first-generation cloud-based storage system has experienced a data security incident.”    

The company is providing free credit monitoring and identity restoration services for patients impacted by the data breach.  

Patients seeking additional information and resources can call the assistance line at 866-281-0520 Monday through Friday, from 9:00 am to 11:00 pm, EST, and weekends from 11:00 am to 8:00 pm, EST. Use the engagement code, B015985, when calling.