Data breach at healthcare tech firm impacts 4.5 million patients

HealthEC LLC, a provider of health management solutions, suffered a data breach that impacts close to 4.5 million individuals who received care through one of the company's customers.

HealthEC provides a population health management (PHM) platform that healthcare organizations can use for data integration, analytics, care coordination, patient engagement, compliance, and reporting.

On December 22, the firm disclosed that it suffered a data breach between July 14 and 23, 2023, which resulted in unauthorized access to some of its systems.

An investigation of the incident concluded on October 24, 2023, and revealed that the intruder had stolen files from the breached systems hosting the following data types:

• Name
• Address
• Date of birth
• Social Security number
• Taxpayer Identification Number
• Medical Record number
• Medical information (diagnosis, diagnosis code, mental/physical condition, prescription information, and provider's name and location)
• Health insurance information (beneficiary number, subscriber number, Medicaid/Medicare identification)
• Billing and claims information (patient account number, patient identification number, and treatment cost information)

"In general, individuals should remain vigilant against incidents of identity theft and fraud by reviewing account statements, explanation of benefits statements, and monitoring free credit reports for suspicious activity and to detect errors," reads HealthEC's notification.

The company recommends that "suspicious activity should be promptly reported to relevant parties including an insurance company, health care provider, and/or financial institution."

At the time of the cyberattack, HealthEC didn't specify how many people were impacted by the intrusion, but a submission to Maine's Attorney General's office that concerned just one of the firm's clients, MD Valuecare, set the number of affected persons to 112,005.

A new listing that appeared earlier today on the breach portal of the U.S. Department of Health and Human Services shows the larger picture, informing that the total number of affected individuals is 4,452,782.

There are 17 healthcare service providers and state-level health systems that were impacted by the cyberattack on the HealthEC tech solutions provider.

Some major organizations listed in the notice include Corewell Health, HonorHealth, Beaumont ACO, State of Tennessee – Division of TennCare, the University Medical Center of Princeton Physicians' Organization, and the Alliance for Integrated Care of New York.