ITHACA, N.Y.—A data breach at a third-party company has revealed information for a number of Cayuga Medical Center patients, potentially including names, birth dates, certain medical information and insurance account numbers.

The breach was revealed in letters sent out earlier this month to people who may have been impacted. The letters came from Guidehouse, a Virginia-based company that CMC uses to handle its medical claims billing and collections—CMC was not breached directly. Guidehouse stated that a file transfer service they use, Accellion FTA, is the genesis of the data breach. Guidehouse has not responded to a question regarding the specific number of CMC patients who were impacted.

Guidehouse said the breach took place in January 2021, and they were notified of it in March 2021. They told CMC of the breach in May, and had apparently been assessing the extent of the problem until the letters were sent out this month.

“It has taken time to accurately determine what data was impacted,” Guidehouse said in its letter to impacted patients. “We are not aware of any misuse of your information.”

According to CMC spokesperson John Turner, the hospital is not under the impression that the breach is impacting a large portion of their total patients/customers.

“This is a small fraction of people compared to the total number of patients,” he said. “Cybersecurity is a priority for us, which is why we hired a Chief Cyber Security Officer several years ago.”

Guidehouse, for their part, said in a statement to the Ithaca Voice that the issue arose from the Accellion FTA service, used to transfer files. They are no longer using Accellion FTA and notified law enforcement and cybersecurity experts upon learning of the breach.

“Through the investigation, it was determined that certain personal information may have been impacted,” said a Guidehouse spokesperson. “This information may include names, dates of birth, insurance account numbers, and certain medical information, of patients of Cayuga Medical Center. We are not aware of any misuse of the information.”

Those confirmed to be impacted will be offered a credit monitoring product for free through Guidehouse, using Experian. Because of the Accellion FTA problem, Guidehouse also disclosed a breach involving Morgan Stanley customers and a California-based healthcare network. A TechCrunch article seems to indicate that the number is far larger than those two entities, extending beyond Guidehouse to include colleges, government offices, and others that used Accellion FTA.

Matt Butler

Matt Butler is the Education & Public Health Reporter at the Ithaca Voice. He can be reached by email at mbutler@ithacavoice.com