HealthEC LLC, a provider of health management solutions to healthcare providers, suffered a data breach that impacted close to 4.5 million individuals who receive care through one of the company’s customers. This is the seventh-largest breach in 2023 reported to government authorities.
HealthEC filed a breach report with the U.S. Department of Health and Human Services (HHS) on December 21, 2023.
New Jersey-based HealthEC is a health technology company and HIPAA business associate that provides population health management software that healthcare organizations use for data integration, analytics, care coordination, patient engagement, compliance, and reporting.
HealthEC’s public breach notice explains that the company noticed suspicious activity on its network and began an investigation. The investigation revealed that an unknown actor accessed systems between July 14, 2023, and July 23, 2023, and certain files were copied. The notice did not say when the company first saw the suspicious activity, but the investigation was completed on or around October 24, 2023.
The protected health information (PHI) stolen by the cyber attacker included:
- Name
- Address
- Date of birth
- Social Security number
- Taxpayer Identification Number
- Medical Record number
- Medical information (diagnosis, diagnosis code, mental/physical condition, prescription information, and provider’s name and location)
- Health insurance information (beneficiary number, subscriber number, Medicaid/Medicare identification)
- Billing and claims information (patient account number, patient identification number, and treatment cost information)
About 17 of HealthEC ‘s healthcare provider customers were impacted, including Corewell Health, HonorHealth, University Medical Center of Princeton Physicians’ Organization, Community Health Care Systems, State of Tennessee, Division of TennCare, Beaumont ACO, KidneyLink, Alliance for Integrated Care of New York, LLC, Compassion Health Care, Metro Community Health Centers, Advantage Care Diagnostic & Treatment Center, Inc., Long Island Select Healthcare, Mid Florida Hematology & Oncology Centers, P.A, d/b/a Mid-Florida Cancer Centers, Illinois Heath Practice Alliance, LLC, East Georgia Healthcare Center, Hudson Valley Regional Community Health Centers, and Upstate Family Health Center, Inc.
Business Associate Breaches Affect Large Numbers
For cyber criminals, an attack on a business associate like HealthEC is a shortcut to a treasure trove of data. All covered entities and all of their business associates need to comply with HIPAA.
Although none of HealthEC’s customers experienced this cyberattack firsthand, all of them were breached. This is why HIPAA requires business associates to comply with HIPAA and covered entities (e.g., providers and health plans) to perform due diligence and enter business associate agreements with third-party vendors handling PHI.