Law firm used by Presbyterian says data breach may have impacted patients’ personal information

A law firm that provides services to Presbyterian Healthcare Services says it experienced a data security incident earlier this year that involved protected information of some of the health system's patients.

St. Louis-based Thompson Coburn said the incident took place May 28-29. The law firm said patients' information — such as Social Security numbers, dates of birth and health insurance information — were included in files either viewed or taken by an "unauthorized actor."

"Unfortunately, we have learned that a law firm that we work with, Thompson Coburn LLP, experienced a data security incident that involved the protected health information of certain Presbyterian patients," Presbyterian spokesperson Amanda Schoenberg wrote late Monday in an email to the Journal. "While Thompson Coburn is sending letters to potentially impacted patients this week, the law firm does not have any indication that identity theft or fraud has occurred related to this incident."

Thompson Coburn said it plans to notify potentially involved patients of Presbyterian through mailed letters, noting that it doesn't believe there has been any identity theft or fraud related to the breach.

Thompson Coburn said in a news release, "The specific type of information at issue varies for each individual, and is specified in the letters that were mailed to the involved individuals."

Schoenberg wrote in an email that Thompson Coburn provides legal counsel to the health system for issues such as government billing and repayment, adding that "some health information may be relevant to some legal matters." Schoenberg didn't say how many patients may have been impacted but said, "We take the responsibility of protecting the privacy of our patients and members very seriously."

The Journal was trying late Monday to get more specifics from Presbyterian on Thompson Coburn's role. An attorney representing Thompson Coburn didn't immediately respond to a Journal request for comment.

The news comes as other health-related businesses in New Mexico have experienced cybersecurity incidents in recent years — including Lovelace Health System, which last year had to reroute emergency room patients and reschedule specific surgeries following a ransomware attack on its parent company, Ardent Health Services.

Also last year, Blue Cross and Blue Shield of New Mexico, a health insurer, had its systems breached, which compromised patients' Social Security numbers, bank account information, names, addresses, phone numbers and dates of birth. And in March 2022, patients of First Choice Community Healthcare had their information compromised following a data breach at the Albuquerque-based health clinic.

Thompson Coburn said it "promptly launched an investigation with the assistance of third-party forensic specialists" after it was made aware of the incident on May 29.

The law firm said it encourages involved individuals to "remain vigilant" against identity theft by monitoring account statements, credit reports and explanations of benefits for "unusual activity and to detect errors."