HealthEC Data Breach Impacts 4.5 Million Patients

Written by

A data breach at HealthEC LLC has impacted nearly 4.5 million people, with highly sensitive medical information accessed by cyber attackers.

The New Jersey-based health tech company first reported that 112,005 individuals were affected by the breach in a notification to the Office of the Maine Attorney General on December 21, 2023.

However, a listing posted on the website of the US Department of Health and Human Services Office for Civil Rights on January 3, 2024, put the figure at close to 4.5 million.

What is the Extent of the HealthEC Breach?

In a notice on its website dated December 22, 2023, HealthEC revealed that an unknown actor accessed some of its systems between July 14 and July 23, resulting in certain files being copied.

Following a review completed on or around October 24, the firm determined that highly sensitive information was exposed, including:

  • Medical record numbers
  • Medical data, including patients’ diagnosis, mental/physical condition and prescription information
  • Health insurance information, such as beneficiary number and Medicaid/Medicare identification
  • Billing and claims data, including patient account number and treatment cost information
  • Personally identifiable information, such as name, address, date of birth, social security number, taxpayer identification number

Additionally, 17 US healthcare organizations which are partners or customers of HealthEC were impacted by the breach. HealthEC said it began notifying these organizations on October 26, and worked with them to notify potentially impacted individuals.

The company stated it has notified federal law enforcement of the breach and is reviewing its existing policies and procedures relating to the information it holds.

What do Affected Individuals Need to Do?

Impacted customers have been urged to take the following steps to protect themselves from identity theft and fraud:

  • Review account statements was suspicious activity
  • Request a free credit report to monitor for suspicious activity 
  • Place an initial or extended ‘fraud alert’ on their credit file
  • Report any suspicious activities to relevant parties, including insurance companies, financial institutions and law enforcement

Commenting on the breach, Nick Tausek, lead security automation architect at Swimlane, noted: “This disclosure reaffirms the vulnerability of the healthcare sector in 2023, an important reminder as we enter the new year.”

Andrew Costis, chapter lead of the adversary research team at AttackIQ, said that companies like HealthEC that manage the sensitive information of millions across providers must adopt a more threat-informed defense strategy to be able to proactively respond to threats.

“Organizations can leverage the common tactics, techniques, and procedures (TTPs) used by threat actors, testing them against their current security measures to identify any gaps or potential blind spots. Simulating these attacks through continuous testing will help promote a more proactive and efficient response,” he explained.

What’s hot on Infosecurity Magazine?