AMARILLO, Texas (KAMR/KCIT) — Officials with the Northwest Texas Healthcare System released information about a breach in late 2021 that involved protected health information for the system’s patients.

According to a “vendor breach event notice” published on Thursday, officials said that Adelanto HealthCare Ventures LLC, a consulting company that works for one of the system’s business associates and a company that provides “transactional advisory support” for the system, became aware of two email accounts being accessed as a result of a “phishing incident” in November 2021.

Officials said initially, they did not believe that the incident involved the Northwest Texas Healthcare System. In December 2021, AHCV contacted a former employee of the system that protected health information was found in the impacted email accounts and “potentially accessible during the incident.” It was not until August 2022 that a business associate of the system learned that certain information could have been involved in the phishing incident.

After learning of the incident, the associate, not identified by the Northwest Texas Healthcare System, began an investigation. But the associate did not receive “sufficient information” to conduct the investigation until late December 2022.

“There is no evidence to date to suggest that the PHS was copied or misused, but our business associated notified our Organization of the incident on January 28, 2023,” the notice reads. “Once we received this notice, we worked with our business associate to take the steps needed to provide notification to individuals.”

Officials said the emails involved in the phishing incident potentially contained some or all of the following information from the system’s patients, including:

• Patient’s full name;
• Facility name;
• Medicaid claim ID;
• Medicaid client ID;
• Care plan name;
• Medicaid program;
• Gender;
• Date of birth;
• Admission and discharge date;
• Medical and diagnosis information;
• Mental health comorbidity (if any).

Officials stressed that the emails did not contain social security numbers, credit card numbers, or other financial information.

The system said that notification letters surrounding this notice began to be mailed on March 29. They also said that AHCV is reportedly expanding its security measures and assessing additional training for its employees. The unnamed business associate has also reportedly “counseled its own employees on the incident and best practices.”

“While we are unaware of any actual or attempted misuse of PHI, we are offering impacted patients 12 months of internet surveillance and identity restoration services through Experian at no charge,” the notice read. “Individuals can refer to their notification letter for enrollment instructions.”

The notice stated that those with additional questions are asked to call 800-910-4035, a dedicated line open from 8 a.m. to 10 p.m. Monday through Friday, and from 12 p.m. to 7 p.m. on Saturday and Sunday, excluding holidays. Officials said the line will remain open until July 31.

“If you did not receive a letter, but would like to know if you were affected, please contact our dedicated assistance line,” the notice read.