A hacking incident at a New Jersey-based vendor of artificial intelligence-enabled population health management services has resulted in a significant breach affecting more than a dozen healthcare clients across the country and nearly 4.5 million of their patients. HealthEC LLP, headquartered in Edison, New Jersey, reported the attack to the U.S. Department of Health and Human Services (HHS) as a HIPAA business associate on December 21. The breach involved unauthorized access to a network server, raising concerns about the security of sensitive patient information.
Background
HealthEC LLP, a leading provider of population health management solutions, is recognized in the healthcare industry for its innovative use of artificial intelligence. As a HIPAA business associate, the company is responsible for handling and safeguarding protected health information (PHI) on behalf of its healthcare clients. HIPAA mandates strict security and privacy measures to protect the PHI of patients.
Incident timeline
The breach incident at HealthEC was initially discovered through an investigation, although the exact date of the discovery was not specified. Upon investigation, it was determined that certain systems had been accessed by an unknown actor between July 14 and July 23, 2023. During this time frame, sensitive files were unlawfully copied, raising concerns about the extent of the breach and the potential compromise of patient data.
Affected clients
Approximately 17 of HealthEC’s healthcare clients have been impacted by the breach. These clients include Corewell Health, HonorHealth, University Medical Center of Princeton Physicians’ Organization, Community Health Care Systems, the State of Tennessee’s Division of TennCare, and several others. The scope of the breach highlights the far-reaching implications for healthcare organizations that rely on external vendors for critical services.
Compromised data
The breach exposed a significant amount of sensitive information. Potentially compromised data includes individuals’ names, addresses, birth dates, Social Security numbers, taxpayer identification numbers, medical record numbers, and detailed medical information such as diagnosis, diagnosis code, mental and physical condition, prescription details, and provider information. This highly valuable data can be exploited for various fraudulent activities, putting individuals at risk of identity theft and financial harm.
Furthermore, health insurance information has also potentially been compromised, including beneficiary numbers, subscriber numbers, Medicaid and Medicare identification, and billing and claims information. This breach of insurance data raises concerns about potential fraudulent claims and the misuse of insurance benefits.
Steps taken by HealthEC
In response to the breach, HealthEC promptly reported the incident to the HHS Office for Civil Rights as required by HIPAA regulations. The company is actively investigating the breach to determine the extent of the impact and potential risks to affected patients. In addition, HealthEC is reviewing its existing data privacy and security policies and procedures to strengthen its defense against future attacks.
Lack of additional details
Despite the significant impact of the breach, HealthEC has not provided additional details beyond what has been reported. Information Security Media Group’s request for further information regarding the incident remains unanswered, leaving affected clients and patients with limited knowledge about the breach and potential risks.
The overall breach situation in 2023
The breach at HealthEC is not an isolated incident. As of January 3, the HHS Office for Civil Rights’ HIPAA Breach Reporting Tool website documented 694 major health data breaches reported in 2023. These breaches have affected nearly 127.5 million individuals, underscoring the growing threat landscape facing the healthcare industry. The frequency and scale of these breaches highlight the urgent need for robust cybersecurity measures and heightened vigilance to protect patient data.
Future breach reports
HHS OCR is expected to continue updating its website with additional breaches reported in 2023. The agency continues to review and confirm breach reports received from covered entities and business associates. This ongoing disclosure process emphasizes the importance of transparency in the healthcare sector to ensure that affected individuals are promptly informed about breaches and can take appropriate action to protect themselves against potential harm.
The breach at HealthEC, impacting multiple healthcare clients and millions of patients, serves as a stark reminder of the persistent cybersecurity challenges faced by the healthcare industry. Hackers, driven by the potential monetary gain from patient data, continue to exploit vulnerabilities in the digital infrastructure of healthcare organizations. The breach reinforces the need for comprehensive security measures, mandatory reporting, and continuous evaluation of data privacy and security policies. As the healthcare sector embraces technologies like artificial intelligence and population health management, it must also prioritize the protection of patient information to prevent detrimental breaches and safeguard the trust patients place in the industry.