Serviceaide leak impacts over 480K Catholic Health patients

Serviceaide, a software development company, has inadvertently leaked the sensitive information of over 480,000 Catholic Health patients.

In November last year, Serviceaide discovered that information they managed and stored for a US healthcare provider, Catholic Health, had been “inadvertently made publicly available.”

Upon finding out that Catholic Health’s Elasticsearch database was leaked to the public, Serviceaide said they took steps to secure it and initiated an investigation.

Serviceaide discovered that between September and November of 2024, patients’ information was openly available.

The information exposed may include:

• Names
• Social Security numbers
• Dates of birth
• Medical record numbers
• Patient account numbers
• Medical/health information
• Health insurance information
• Prescription/treatment information
• Clinical information
• Provider names
• Provider locations
• Emails/usernames and passwords

Health information is extremely valuable in the cybercrime world, as it usually doesn’t tend to change over time.

This kind of sensitive information could be used by threat actors to launch highly personalized and sophisticated attacks. Furthermore, cybercriminals can use it to profile patients and commit various forms of fraud, from identity theft to phishing attacks.

Threat actors searching for huge unsecured databases could use this information to open new credit accounts, make unauthorized purchases in your name, or obtain loans under false pretenses.

While Serviceaide found no evidence that patients’ personally identifiable information was copied or used to commit fraud, the company is “unable to rule out this type of activity.”

Serviceaide didn’t specify how many patients were affected by the breach in its notification.

However, information from the US Department of Health and Human Services (HHS) shows that over 483,000 individuals were affected.

On the breach portal, the leak is identified as “unauthorized access or disclosure” of information as opposed to a hacking or IT incident.

Serviceaide has started sending breach notification letters to affected individuals and has “implemented additional security measures to further protect against similar incidents occurring in the future.”

The company has said that under US law, consumers are entitled to one free credit report annually via Equifax, Experian, and TransUnion.