On January 17, 2025, Allegheny Health Network (AHN) reported a major data breach affecting 293,900 patients. The breach occurred due to unauthorized access to servers managed by IntraSystems, LLC, a business associate providing IT services for AHN's home care programs.
What happened
A data breach at IntraSystems, a computer consulting firm, exposed the personal information of 293,900 home care patients affiliated with AHN, based in Pittsburgh. Between October 11 and November 19, 2024, unauthorized third parties accessed servers supporting AHN’s home medical equipment and home infusion services. The breach affected protected health information (PHI), including names, dates of birth, addresses, Social Security numbers, financial account details, and health insurance information.
AHN began notifying impacted patients on January 17, 2025, and their spokesperson, Dan Laurent, clarified that the health system's entire database was not compromised in the incident.
What was said
Dan Laurent, AHN spokesperson, clarified that the breach was limited to specific patient records and assured the public that no other database within the health system was compromised.
In the know
A business associate is an entity that performs services on behalf of a healthcare provider, health plan, or healthcare clearinghouse and has access to PHI. Business associates can handle multiple tasks, including IT services, legal, and administrative support.
Under HIPAA, business associates must sign a business associate agreement (BAA) with their healthcare clients. This agreement mandates that they adhere to HIPAA privacy and security standards to safeguard PHI.
Go deeper: How to know if you’re a business associate
Why it matters
As a business associate, IntraSystems would have signed a BAA with AHN, clarifying its role in data protection. However, even with a BAA in place, data breaches can still occur if business associates fail to meet their security obligations. When a breach involves PHI, the healthcare provider (AHN, in this case) is still responsible for notifying affected individuals and offering resources to help affected individuals mitigate the risk of identity theft.
The bottom line
The AHS and InstraSystems network breach shows the risk posed by business associate-related data breaches. Therefore, healthcare providers must verify that their business associates comply with HIPAA requirements and have effective cybersecurity protocols in place to safeguard PHI.
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
What should individuals do if their data has been compromised?
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
Are there any costs associated with placing a fraud alert or credit freeze?
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.
