Valle del Sol

A Public Service Announcment

Please be aware that if you received health care from Valle del Sol, Inc., whose headquarters is located a 3807 N 7th St., Phoenix AZ 85014 your ePHI (electronic Private Healthcare Information) may have been compromised. If you have not received a letter from Valle del Sol, Inc informing you that your ePHI might be in the hands of bad actors who may advertise it on the dark web. If you have not been contacted by Valle del Sol, Inc. you should contact one or more of the following agencies.

Department of Health and Human Services’
Office for Civil Rights (OCR).
You may file an online complaint at: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
or call 1-800-368-1019 for further information.



Arizona - Office of the Attorney General
2005 N Central Ave
Phoenix, AZ 85004-2926
(602) 542-5025
Ask them about Data Privacy and Security


It was reported on April 29, 2019 by one of Valle del Sol's vendors that it looked like one of the servers was compromised. Further investigation revealed that it was not just one server but all servers (50+) at the data center had their administrative account cracked. This includes servers that contained ePHI data including the Nextgen EHR group of servers including SQL, the Addiction Management System and ClaimTrac. The investigation also revealed the breach went as far back as December 2018, maybe further.

Was this breach preventable? Well at most companies the answer is yes, but at Valle del Sol a breach should have been expected. Let us take look at Information Security at Valle del Sol, Inc. On April 28, 2011 IT Manager R.D had a meeting with then CFO T.C. A comprehensive Information Security Handbook was presented to the CFO, but it was dismissed as not being necessary. In 2014 Valle del Sol hired a Director of Information Technology with a speciality in Information Security. One of the first things IT Director C.S asked the IT Manager for was a copy of the Valle del Sol IT Policies. The current policies presented to IT Director C.S were inufficient in his opion. The IT Manager also informed the IT Directior of the meeting with CFO and the outcome of that meeting. IT Manager R.D presented the IT Director with a copy of Inormation Security Handbook that was previously presented to the CFO. In the IT Director's opinon this Handbook was more more than adaquite. The IT Director and IT Manager had another meeting in 2014 with the CFO and presented the Information Security Handbook. Once again the CFO said it was not necessary.

Maybe the breach was the reason for the netwwork slowness which staff was always complaining about. The actors could have been siphoning off the data, or maybe the breach caused the Nextgen ePHI SQL database to become corrupt. Microsoft had to be contacted to help Valle del Sol get the database fixed. But Valle del Sol will never know since the Chief of Complience and IT Roslynne (Lynne) Emmons never had a foresnic analysis performed. It seems that Chief Emmons only wanted the servers cleaned of the malware and didn't care about anything else related to the breach. Of course during this crisis Chief Emmons went on vacation/PTO the following week.

This was not the only breach at Valle del Sol. On September 20, 2016 Valle del Sol experienced a Ramsomware attact. This was not the first time that Valle del Sol was hit by ramsonware. Both times the IT Manager was able to recover all data from a nightly backup.

Besides breaches of the servers at Valle del Sol, Inc., the crack staff also emails back and forth with bad actors. For example, on April 4, 2019, the Director of Human Resources, Desiree Cogley was communicating with a bad actor and managed to deposit a Direct Deposit check to the actor. The check was for the CFO, K.N. So you can see Valle del Sol really does not have any security.