3rd Party Risk Management , Cybercrime , Fraud Management & Cybercrime

Population Health Management Firm's Breach Affects Millions

HealthEC Hack Also Compromised More Than a Dozen US Healthcare Systems
Population Health Management Firm's Breach Affects Millions
Image: HealthEC

A hacking incident at a New Jersey-based vendor of artificial intelligence-enabled population health management services has affected more than a dozen of its healthcare clients across the country and nearly 4.5 million of their patients.

See Also: OnDemand | CISO Leadership Blueprint to Managing Budgets, Third-Party Risks & Breaches

HealthEC LLP, headquartered in Edison, New Jersey, reported the hack to the U.S. Department of Health and Human and Services as a HIPAA business associate on Dec. 21, saying the breach involved a network server.

In a breach notice posted on its website, HealthEC said it had "promptly" launched an investigation after it became aware of suspicious activity involving its network.

HealthEC did not say when it had discovered the unusual activity but said its investigation determined that certain systems had been accessed by "an unknown actor" between July 14 and July 23, 2023, during which time certain files were copied.

"We then undertook a thorough review of the files in order to identify what specific information was present in the files and to whom it relates. This review was completed on or around Oct. 24, 2023, and identified information relating to some of HEC's clients." HealthEC said it had begun to notify its clients on Oct. 26 and was working with them to notify potentially affected individuals.

The incident affected about 17 of HealthEC's clients, including Corewell Health, HonorHealth, University Medical Center of Princeton Physicians' Organization, Community Health Care Systems, the State of Tennessee's Division of TennCare, Beaumont ACO, KidneyLink, Alliance for Integrated Care of New York, Compassion Health Care, Metro Community Health Centers, Advantage Care Diagnostic and Treatment Center, Long Island Select Healthcare, Mid Florida Hematology and Oncology Centers - which does business as Mid-Florida Cancer Centers; Illinois Heath Practice Alliance, East Georgia Healthcare Center, Hudson Valley Regional Community Health Centers, and Upstate Family Health Center.

Data compromised in the incident potentially includes individuals' names, addresses, birthdates, Social Security numbers, taxpayer identification numbers, medical record numbers and medical information such as diagnosis, diagnosis code, mental and physical condition, prescription information, and provider's name and location.

Other information potentially affected includes health insurance information such as beneficiary number, subscriber number, Medicaid and Medicare identification and billing and claims information, including patient account number, patient identification number, and treatment cost.

HealthEC said it is reviewing its existing data privacy and security policies and procedures.

The company did not immediately respond to Information Security Media Group's request for additional details regarding the incident.

As of Jan. 3, the HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website shows 694 major health data breaches, affecting nearly 127.5 million individuals, that were reported in 2023.

Of those, the HealthEC incident currently ranks as the sixth-largest health data breach posted on the HHS OCR website in 2023 overall and the fifth-largest breach reported by a business associate in 2023, so far.

HHS OCR is likely to post to its website additional breaches reported in 2023 as the agency continues to review and confirm breach reports received from covered entities and business associates in the final weeks of the year.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.