Stethoscope and syringe on a computer keyboard showing healthcare tech firm data breach

Healthcare Tech Firm HealthEC Data Breach Impacted Nearly 4.5 Million Patients

Healthcare tech solutions provider HealthEC LLC has experienced a data breach impacting nearly 4.5 million individuals across various states.

The firm operates a population health management system that helps healthcare providers identify high-risk patients, bridge the gaps in healthcare, and optimize service delivery.

In July 2023, HealthEC detected suspicious activity on its network, notified federal law enforcement, and launched an investigation. The probe completed on October 24, 2023, and determined that hackers had accessed certain systems and files.

On December 22, 2023, the healthcare tech firm began notifying impacted individuals detailing the nature of the information leaked, which varied per individual.

HealthEC healthcare tech data breach leaked PII and PHI

Healthcare tech firm HealthEC assessed the breached systems and determined that the hackers accessed personal information, which includes names, addresses, dates of birth, Social Security numbers, and taxpayer identification numbers.

Additionally, the data breach leaked protected health information (PHI), including medical record number, diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s name and location. Health insurance information, including beneficiary number, subscriber number, and Medicaid/Medicare identification, was also accessed during the external hacking incident.

The unidentified hackers also accessed patient billing and claims information, including patient account numbers, identification numbers, and treatment cost information. Seemingly, the threat actors did not access credit card or banking account information.

Nevertheless, the leaked information is a goldmine for identity theft and targeted phishing attacks when combined with data from other sources. Subsequently, the healthcare tech firm advised customers to be on the lookout for suspicious activity.

“In general, individuals should remain vigilant against incidents of identity theft and fraud by reviewing account statements, explanation of benefits statements, and monitoring free credit reports for suspicious activity and to detect errors,” the healthcare tech company wrote.

The healthcare tech firm also offered 12 months of credit monitoring and identity protection services with TransUnion.

According to a listing on the U.S. Department of Health and Human Services (HHS) website, the healthcare tech data breach impacted 4,452,782 individuals. This figure includes over 1 million Michigan residents impacted through Beaumont ACO and Corewell Health.

Seventeen healthcare providers were affected by the impact of the cyber attack, including the Hudson Valley Regional Community Health Centers, the Alliance for Integrated Care of New York, Corewell Health, Metro Community Health Centers, HonorHealth, Beaumont ACO, Upstate Family Health Center, Division of TennCare, and the University Medical Center of Princeton Physicians’ Organization.

Healthcare sector under attack

However, HealthEC is hardly the only healthcare tech firm to experience a data breach in the past few months.

In November 2023, Welltok Inc., a software company, experienced a data breach impacting 1 million Michigan patients, while McLaren Health Care suffered a ransomware attack affecting 2.5 million patients.

Similarly, the University of Michigan leaked medical records and identifiable personal information (PII), including government-issued IDs and Social Security numbers, in August 2023.

Lamenting numerous health data breaches affecting the state, Michigan Attorney General Dana Nessel has proposed federal legislation forcing organizations to report data breaches promptly to mitigate the impacts of personal data exposure.

“Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection,” AG Nessel said. “It is critical that the Michigan legislature join the many other states that require companies who experience a data breach to immediately inform the Department of Attorney General.”

HealthEC has not disclosed if the data breach resulted from a ransomware attack, the threat actor’s identity, or if it has received any ransom demands.

“The healthcare sector remained a top target for cyberattacks during 2023, with notable attacks involving HCA Healthcare with the data of 11 million patients exposed and the Colorado Department of Health Care Policy and Financing MOVEit breach,” said Kevin Kirkwood, Deputy CISO at LogRhythm. “This updated disclosure from HealthEC LLC serves as a stark reminder that these threats persist.”

Kirkwood recommended a threat detection and response-based security posture, allowing organizations to gain visibility to the IT infrastructure, detect threats in real-time, and facilitate a more efficient incident response.

“In addition to threat detection, password hygiene and regular backups should be prioritized,” he concluded.