HealthEC, a leading US healthcare technology company, announced Wednesday the sensitive information of over 4 million individuals was compromised in a massive breach dating back to July 2023.
On December 22nd, the AI-enabled health management platform filed a breach notification with the Maine Attorney General's office, listing only 112,005 victims of the hack, now posted on its website.
Today, January 3rd, that number has dramatically jumped to 4,452,782 impacted individuals, according to the US Department of Health and Human Services breach portal – representing over half of HEC’s 8 million plus members.
In its Maine breach disclosure report, the company is stated to have first discovered the suspicious activity on October 24th, but in the full breach notice, that date has been omitted, making it unclear when exactly HEC became aware of the unauthorized access.
“When this cyberattack initially occurred, the number of individuals affected was listed as a little over 100,000. A new listing revealed that the number is closer to 4.5 million individuals,” said Nick Tausek, Lead Security Automation Architect at Swimlane.
"This disclosure reaffirms the vulnerability of the healthcare sector in 2023, an important reminder as we enter the New Year," Tausek said.
The full December 22nd breach notice states:
“HEC became aware of suspicious activity potentially involving its network and promptly began an investigation, HealthEC stated.
“The investigation determined that certain systems were accessed by an unknown actor between July 14th and July 23rd 2023, and during this time certain files were copied,” it said.
After a “thorough review of the files… completed on or around October 24th, 2023…HEC began notifying our clients on October 26th, and we worked with them to notify potentially impacted individuals.”
The New Jersey-based health company has over 26 clients in 18 states, is connected to over 1 million healthcare providers, and provides services to over 1.4 thousand regional and national payers, its website states.
HealthEC said the types of sensitive information that may have been stolen by the hackers varies by individual, but may include:
- Name, address, date of birth
- Social Security or Taxpayer Identification number
- Medical Record number
- Medical information (including but not limited to Diagnosis, Diagnosis Code, Mental/Physical Condition, Prescription information, and provider's name and location)
- Health insurance information (including but not limited to beneficiary number, subscriber number, Medicaid/Medicare identification)
- Billing and Claims information (including but not limited to patient account number, patient identification number, and treatment cost information)
From medical societies to hospitals, HealthEC named at least 17 healthcare providers – considered either business partners or customers – impacted in the breach.
Bigger names include Corewell Health in Michigan (formally Spectrum Health), New Jersey’s University Medical Center of Princeton Physicians' Organization, New York City’s Metro Community Health Centers, Mid Florida Hematology & Oncology Centers, and Canada’s KidneyLink.
“For companies like HealthEC that manage the sensitive information of millions across providers, cybersecurity must remain a top priority,” explained Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ.
“By adopting a more threat-informed defense strategy, organizations can proactively respond to threats,” Costis said.
The digital health platform, which analyzes data to identify high-risk patients and predict and improve health outcomes, also services multiple government health offices, including state Medicaid agencies and state & county health departments.
Additionally, HEC services numerous payers from Medicaid managed care organizations, Medicare Advantage plans, and various employer health plans.
Costis said organizations like HealthEC should be leveraging the common tactics, techniques, and procedures (TTPs) used by threat actors, testing them against their current security measures to identify any gaps or potential blind spots.
“Simulating these attacks through continuous testing will help promote a more proactive and efficient response, Costis added.
HEC said it is currently reviewing its existing policies and procedures and will provide guidance to individuals affected, including twelve months or longer of credit monitoring and identity protection services.
More from Cybernews:
Subscribe to our newsletter