HealthEC LLC, a health management solutions company, recently suffered a large data breach affecting patients across the United States.
What happened
HealthEC provides AI-enabled population health management (PHM) to create a community health record for patients, giving a healthcare system a full picture of a patient’s care. They serve approximately 26 clients in 18 states, working with over a million providers.
Recently, HealthEC released a notice of a cyber security event. In the notice, HealthEC said they conducted an investigation upon noticing suspicious activity in their network. The investigation revealed that an unknown actor accessed their network between July 14th, 2023 and July 23rd, 2023. They completed their investigation on October 24th, 2023, and began to send notices to impacted patients on October 26th.
Going deeper
During their investigation, HealthEC determined several files had been copied. After reviewing the files, they determined that copied information included names, addresses, dates of birth, Social Security numbers, Taxpayer ID numbers, Medical Record numbers, medical and health insurance information, and billing information.
The company partners with a variety of healthcare organizations that were impacted, including:
- Corewell Health
- HonorHealth
- University Medical Center of Princeton Physicians’ Organization
- Community Health Care Systems
- State of Tennessee
- Division of TennCare
And many more across the United States. In total, it is estimated that 4.5 million patients had their data stolen. In response, HealthEC is offering 12 months of credit monitoring and identity protection services.
What they are saying
In their notice, HealthEC said, “We take this event, your privacy, and the security of information in our care very seriously. Upon learning of the suspicious activity, we moved immediately to investigate and respond.
Their investigation included, “Confirming the security of our network, reviewing the relevant files and systems, notifying potentially affected business partners/customers, and notifying federal law enforcement.” They also stated they will review their existing policies and procedures to prevent future attacks.
Why it matters
For some patients, this breach is part of a frustrating trend of stolen data. Michigan has been hit particularly hard, after having over a million patients impacted by the Welltok breach.
In response to the news, Michigan Attorney General Dana Nessel said in a statement, “Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection. It is critical that the Michigan legislature join the many other states that require companies who experience a data breach to immediately inform the Department of Attorney General.”
Other states similarly face an onslaught of breaches and hope to ramp up protections. In November, New York Governor Kathy Hochul announced her administration would be improving their cybersecurity defenses, with a focus on hospitals, which appear to be heavily targeted.
Read more: New York proposes new security regulations for hospitals
The big picture
While HealthEC has completed its investigation, there may be further updates if other government bodies decide to investigate further or if any individuals decide to seek restitution.
As more breaches occur, it’s likely that states will begin proposing new regulations in an effort to curb the growing threat of attack.
Related: HIPAA Compliant Email: The Definitive Guide.
Abby Grifno
