Pierluigi Paganini January 04, 2024

Healthcare technology company HealthEC disclosed a data breach that exposed the personal information of 4.5 million Individuals.

Healthcare technology company HealthEC (HEC) disclosed a data breach that impacted 4.5 million customers of its business partners.

HealthEC is a healthcare technology company that provides solutions for care coordination, population health management, and value-based care. The company’s platform is designed to help healthcare organizations, providers, and payers improve patient outcomes, enhance care coordination, and manage population health effectively.

HEC discovered that an unknown actor gained access to some of its systems between July 14, 2023 and July 23, 2023, and copied some files. The files contained information belonging to some of HEC’s clients. The healthcare firm began notifying impacted clients on October 26, 2023, and worked with them to notify potentially impacted individuals.

The types of information vary by individual but includes name, address, date of birth, Social Security number, Taxpayer Identification number, Medical Record number, Medical information (including but not limited to Diagnosis, Diagnosis Code, Mental/Physical Condition, Prescription information, and provider’s name and location), Health insurance information (including but not limited to beneficiary number, subscriber number, Medicaid/Medicare identification), and/or Billing and Claims information (including but not limited to patient account number, patient identification number, and treatment cost information).

“HealthEC’s impacted business partners include Corewell Health, HonorHealth, University Medical Center of Princeton Physicians’ Organization, Community Health Care Systems, State of Tennessee, Division of TennCare, Beaumont ACO, KidneyLink, Alliance for Integrated Care of New York, LLC, Compassion Health Care, Metro Community Health Centers, Advantage Care Diagnostic & Treatment Center, Inc., Long Island Select Healthcare, Mid Florida Hematology & Oncology Centers, P.A, d/b/a Mid-Florida Cancer Centers, Illinois Heath Practice Alliance, LLC, East Georgia Healthcare Center, Hudson Valley Regional Community Health Centers, and Upstate Family Health Center, Inc.” reads a notice published by the company on its website.

According to the data breach notification sent to the US Department of Health and Human Services on December 21, 2023, the number of impacted individuals is 4.452.782.

Health EC is recommending that impacted individuals remain vigilant against possible identity theft and fraud attacks. The company suggests reviewing account and benefits statements, explanation of benefits statements, and monitoring free credit reports for suspicious activity and detecting errors.

“Suspicious activity should be promptly reported to relevant parties including an insurance company, health care provider, and/or financial institution.” concludes the notice.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Artificial Intelligence)