HealthEC data breach impacts 4.5M patients

In healthcare, data breaches are a matter of “when,” not “if.” Population health management platform HealthEC is the latest entity to experience the truth of this saying after unauthorized actors accessed its systems in July of 2023. 

Nearly 4.5 million patients receiving care at health systems using HealthEC were affected by the breach, which compromised demographic, administrative, and clinical information.   

The type of information identified as compromised varies by individual, but includes name and address, Social Security numbers, medical record numbers, diagnosis information, prescription information, health plan information, patient account numbers, and treatment cost data. 

What happened during this cybersecurity event?

According to a breach notification published on December 22, 2023, HealthEC determined that certain systems were accessed by an unknown actor between July 14 and July 23, 2023. 

“We then undertook a thorough review of the files in order to identify what specific information was present in the files and to whom it relates,” the company stated. “This review was completed on or around October 24, 2023, and identified information relating to some of HEC’s clients. HEC began notifying our clients on October 26, 2023, and we worked with them to notify potentially impacted individuals.” 

HealthEC has business partners across many states, and patients at more than a dozen of these healthcare organizations were involved in the event. Affected entities include TennCare, which is Tennessee’s Medicaid program, as well as a cancer care center in Florida and several community health centers (CHCs) in Georgia and New York. 

“We take this event, your privacy, and the security of information in our care very seriously,” HealthEC wrote. “Upon learning of the suspicious activity, we moved immediately to investigate and respond. The investigation included confirming the security of our network, reviewing the relevant files and systems, notifying potentially affected business partners/customers, and notifying federal law enforcement. As part of our ongoing commitment to your privacy and the security of information in our care, we are also reviewing our existing policies and procedures.” 

Closing out a record year of data breaches in 2023

The 4.5 million patients involved places the breach among the top 10 cybersecurity events in 2023, wrapping up a blockbuster year for cybercriminals. By the end of October, the year had already earned the unenviable distinction of seeing twice as many patients affected by breaches compared to the year before. At that point, more than 87 million individuals saw their data compromised, and several late-breaking events have pushed that total even higher. 

Recent breaches have shown that hackers are getting more creative with their targets, hitting technology developers and service providers as well as directly going after healthcare organizations.  

For HIPAA business associates that work closely with patient data, this trend should set off alarm bells. This is especially important for companies that work in cloud environments, which are increasingly vulnerable to compromise.   

With technology becoming more complex than ever, and cybercriminals keeping pace with the latest defenses, companies will need to double down on their efforts to adequately safeguard their internal infrastructure, as well as the pipelines that connect them to their customers, to avoid being the next victim on the list. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.