toggle mobile menu Menu
toggle search menu

Site Navigation



Blog Post

St. Luke’s Blogs

Notice of Data Security Incident

July 29, 2022

What Happened

St. Luke’s Health System was notified on June 3, 2022, that a business associate was subject to a cybersecurity incident in late May 2022. St. Luke’s has had a contract with the vendor to provide statement processing and billing services. On July 6, 2022, St. Luke’s Health System learned protected health information of some patients who had billing statements processed in May 2022 could have been accessed as part of this cybersecurity incident. There is no evidence at this time that the unauthorized user has misused this information.

What Information Was Involved

Information that may have been compromised includes:   

  • The guarantor’s name, address, phone number and ID number.   
  • The patient’s first and last name, date of birth and last five digits of the social security number.  
  • Description of service received, date(s) and location of service received and provider name.   
  • Patient account number.    

Financial information that may have been compromised includes:  

  • Amount billed for services.  
  • Any outstanding balance.  
  • Payment due dates.  
  • Status of the payment account.     

What St. Luke’s Is Doing

St. Luke’s takes its responsibility to safeguard personal and protected health information very seriously. In furtherance of transparency and our commitment to our patients’ privacy and safety, St. Luke’s has moved to notify impacted patients as quickly as possible. To best protect our patients, we have suspended all processing activities with this vendor. St. Luke’s Cyber Security and Compliance are working with the vendor concerning its internal investigation. The vendor has engaged the FBI and contracted with an external forensics firm to better understand this incident and has implemented improved security measures to prevent a similar incident in the future. Specific patients who were impacted will be notified via mailed letter.

St. Luke’s has engaged IDX, data breach and recovery services experts, to ensure the highest level of protection for patients impacted by this incident. Through this partnership, St. Luke’s is offering the following complimentary protection services:  

  • Identity theft protection services.   
  • 12 months of complimentary credit and CyberScan dark web monitoring.   
  • $1 million insurance reimbursement policy.  

What Impacted Patients Can Do 

A call center will be activated on July 28 at 4 p.m. where additional information will be available by calling 1-833-423-2976. The call center will be available Monday through Friday, 7 a.m. to 7 p.m., MST. 

If you received a letter notification regarding this vendor’s cybersecurity incident, we encourage you to contact IDX with any questions and to enroll in the free identity protection services by calling 1-833-423-2976 or by going to IDX's website and enrolling online.