Health technology company HealthEC has disclosed a data breach impacting close to 4.5 million customers of its business partners.
A class action lawsuit has been filed against HealthEC LLC, a health technology company based in New Jersey, following a massive data breach that exposed 4.5 million records belonging to patients from 18 U.S. healthcare providers.
HealthEC sells a population health management solution that healthcare providers rely upon to analyze, forecast and plan engagements with patients, meaning the vendor holds individuals’ personal, medical, and financial data.
The company waited 5 months after learning of the attack before disclosing it on Dec. 22nd – the same day it and its impacted clients began sending breach disclosure letters to affected patients.
It wasn’t until this week, however, when HealthEC’s filing regarding the incident was published on the Department of Health and Human Services’ breach portal, that the extent of the attack became publicly known. According to the HHS listing, 4,452,782 individuals were affected by the breach.
According to the company, an unauthorized party gained access to HealthEC’s computer systems between July 14 and July 23, 2023. During that time, the hackers copied the private financial and medical records of patients whose health providers had provided this information to HealthEC.
After learning of the attack, the Company undertook a thorough review of the breached files in order to identify what specific information was present in the files and to whom it relates.
“This review was completed on or around October 24, 2023 and identified information relating to some of HEC’s clients. HEC began notifying our clients on October 26, 2023, and we worked with them to notify potentially impacted individuals.” Among the 18 affected clients are –
- the Alliance for Integrated Care of New York,
- Advantage Care Diagnostic & Treatment Center
- Beaumont ACO,
- Corewell Health,
- Community Health Care Systems,
- Compassion Health Care,
- East Georgia Healthcare Center,
- Hudson Valley Regional Community Health Centers,
- Illinois Health Practice Alliance,
- Long Island Select Healthcare,
- Metro Community Health Centers,
- Mid Florida Hematology & Oncology Centers,
- State of Tennessee Division of TennCare,
- University Medical Center of Princeton Physicians’ Organization and
- Upstate Family Health Center, Inc.
The regulator notice and impact sample letter published on the Maine Attorney General’s website concerns MD Valuecare, LLC.; this party does not appear in the list of 18 published on their website notice. From this, we can deduce that the breach likely impacted more than currently known. The Maine filing states that 112,005 individuals may have had exposures, but this is unlikely the final number; with 18+ entities breached, the impact is likely to increase as investigations continue.
What Information Was Stolen?
Information obtained by the hackers in the files that were stolen included –
- dates of birth,
- Social Security numbers,
- taxpayer ID numbers,
- health endurance information (including subscriber numbers and Medicare / Medicaid IDs),
- benefits and claims information(including patient accounts, claims, and treatment costs),
- medical record numbers, and
- medical records (including diagnoses, mental and physical conditions, drug prescriptions, and provider info).
How Did The Hackers Manage To Steal My Data?
The lawsuit alleges negligence on the part of HealthEC in safeguarding their sensitive information. Plaintiffs argue that the company failed to implement industry prescribed cybersecurity measures to protect against foreseeable threats, ultimately leading to the unauthorized access and theft of their personal data.
Reduce Your Risk. Join The HealthEC Class Action.
The consequences of the data breach extend beyond the immediate financial and emotional toll on individuals. The incident has also sparked a broader conversation about the need for enhanced cybersecurity measures in the healthcare sector. With the increasing digitization of medical records and the growing reliance on data-driven technologies, the industry faces heightened scrutiny regarding its ability to protect patient information.
If your personal information was impacted by this incident, you may be at risk of identity theft, a broad range of fraud, and other serious violations of your privacy. As a result, you may be entitled to money damages and an injunction requiring changes to HealthEC’s cybersecurity practices.
If you received notification of this data breach from HealthEC and wish to obtain additional information about how to protect your identity or learn of your legal rights, please complete the below form and a data breach lawyer will contact your. There is no cost to you and no obligation on your part.