Healthcare Tech Firm HealthEC LLC Faces Massive Data Breach Affecting 4.5 Million Patients
HealthEC LLC, a leading provider of health management solutions, has fallen victim to a significant data breach, potentially compromising the sensitive information of approximately 4.5 million patients. The breach occurred between July 14 and 23, 2023, but the company only disclosed the incident on December 22. The compromised data includes a range of personal and medical information, such as names, addresses, dates of birth, Social Security numbers, medical records, and health insurance details. The breach also exposed billing and claims information, including patient account numbers and treatment cost details. HealthEC’s population health management platform, used by healthcare organizations for data integration, analytics, and care coordination, suffered unauthorized access during the cyberattack. The investigation into the breach concluded on October 24, 2023, confirming the theft of files containing sensitive information. HealthEC urges affected individuals to remain vigilant against identity theft and fraud by regularly reviewing account statements and monitoring free credit reports for suspicious activity. While HealthEC initially refrained from specifying the number of affected individuals, a recent submission to Maine’s Attorney General’s office revealed that one of the firm’s clients, MD Valuecare, accounted for 112,005 affected persons. However, a new listing on the U.S. Department of Health and Human Services’ breach portal indicates that the total number of impacted individuals is a staggering 4,452,782. Seventeen healthcare service providers and state-level health systems have been identified as victims of this cyberattack on HealthEC. Notable organizations impacted include Corewell Health, HonorHealth, Beaumont ACO, State of Tennessee – Division of TennCare, the University Medical Center of Princeton Physicians’ Organization, and the Alliance for Integrated Care of New York. HealthEC advises affected individuals to promptly report any suspicious activity to relevant parties, such as insurance companies, healthcare providers, and financial institutions. This incident underscores the escalating threat to healthcare data security, emphasizing the critical need for robust cybersecurity measures in the healthcare technology sector.