HealthEC Cyberattack

HealthEC Cyberattack Affects 4.45 Million

HealthEC LLC, a provider of health management solutions to healthcare providers, suffered a data breach that impacted close to 4.5 million individuals who receive care through one of the company’s customers. This is the seventh-largest breach in 2023 reported to government authorities.

HealthEC filed a breach report with the U.S. Department of Health and Human Services (HHS) on December 21, 2023.

New Jersey-based HealthEC is a health technology company and HIPAA business associate that provides population health management software that healthcare organizations use for data integration, analytics, care coordination, patient engagement, compliance, and reporting.

HealthEC’s public breach notice explains that the company noticed suspicious activity on its network and began an investigation. The investigation revealed that an unknown actor accessed systems between July 14, 2023, and July 23, 2023, and certain files were copied. The notice did not say when the company first saw the suspicious activity, but the investigation was completed on or around October 24, 2023.

The protected health information (PHI) stolen by the cyber attacker included:

  • Name
  • Address
  • Date of birth
  • Social Security number
  • Taxpayer Identification Number
  • Medical Record number
  • Medical information (diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s name and location)
  • Health insurance information (beneficiary number, subscriber number, Medicaid/Medicare identification)
  • Billing and claims information (patient account number, patient identification number, and treatment cost information)

About 17 of HealthEC ‘s healthcare provider customers were impacted, including Corewell Health, HonorHealth, University Medical Center of Princeton Physicians’ Organization, Community Health Care Systems, State of Tennessee, Division of TennCare, Beaumont ACO, KidneyLink, Alliance for Integrated Care of New York, LLC, Compassion Health Care, Metro Community Health Centers, Advantage Care Diagnostic & Treatment Center, Inc., Long Island Select Healthcare, Mid Florida Hematology & Oncology Centers, P.A, d/b/a Mid-Florida Cancer Centers, Illinois Heath Practice Alliance, LLC, East Georgia Healthcare Center, Hudson Valley Regional Community Health Centers, and Upstate Family Health Center, Inc.

Business Associate Breaches Affect Large Numbers

For cyber criminals, an attack on a business associate like HealthEC is a shortcut to a treasure trove of data. All covered entities and all of their business associates need to comply with HIPAA.

Although none of HealthEC’s customers experienced this cyberattack firsthand, all of them were breached. This is why HIPAA requires business associates to comply with HIPAA and covered entities (e.g., providers and health plans) to perform due diligence and enter business associate agreements with third-party vendors handling PHI.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU