Loretto Management Corp. formally informed the attorney general of Vermont of a third-party data breach that recently allowed hackers to access the long-term care company’s information technology network.
The unauthorized party gained access to sensitive consumer information, Loretto told the AG in a notice filed last week. The breach reportedly took place in the May 1-2 time frame, leading Loretto to engage third-party security experts who conducted a forensic investigation that lasted through June 11.
Last Tuesday, Loretto sent notification letters about the breach to individuals whose information was affected, according to a report from Console and Associates in JD Supra.
Syracuse, NY-based Lorreto employs more than 2,500 and operates at nine locations, offering a variety of skilled nursing and short-term rehab as well as independent living, assisted living and and memory care. Along with its various community partnerships, it serves more than 9,000 people, according to its website. Its revenues exceed more than $300 million annually.
A Loretto representative declined comment Friday in response to a McKnight’s inquiry.
“Unfortunately, the publicly available data breach letter from Loretto doesn’t mention what data types were leaked,” the Console report noted. “However, the personalized data breach letters … should provide victims with a list of what information belonging to them was compromised.”
More information about the hack, including how it occurred and what data was apparently compromised is expected at a future date, legal observers said.
Loretto is a 104-year-old nonprofit organization with nine locations in central New York state: The Bernardine, Buckley Landing, The Commons on St. Anthony, Community Residences, The Heritage Memory Life Community, Loretto Health & Rehabilitation, The Nottingham, PACE CNY and Sedgwick Heights.
Cyberattacks in long-term care and healthcare have assumed an especially high profile since a massive hack shut down billing and payment systems at one of the nation’s largest firms operating in this sector in late February.
The target was Change Healthcare, which filters claims, processes prescriptions, handles prior-authorization requests, and provides more than 100 other data and clinical support services. The company, acquired by UnitedHealth Group’s Optum in 2022, said it supports more than 14 billion clinical, financial and operational transactions annually.
The fallout was felt for weeks and compelled federal action to help providers and head off any potential future attacks.
The McKnight’s Tech Daily is an e-newsletter for the audiences of McKnight’s Long-Term Care News, McKnight’s Senior Living and McKnight’s Home Care.
