An attack on technology company HealthEC exposed almost 4.5 million records belonging to patients signed up to 18 U.S. healthcare providers.
For one Michigan provider, it was the second time in a matter of months that a significant amount of its patient data — about a million records — were breached due to a hack related to its supply chain.
HealthEC sells a population health management solution that healthcare providers rely upon to analyze, forecast and plan engagements with patients, meaning the vendor holds individuals’ personal, medical, and financial data.
The company disclosed the hack on Dec. 22, the same day it and its impacted clients began sending breach disclosure letters to affected patients.
It wasn’t until this week, however, when HealthEC’s filing regarding the incident was published on the Department of Health and Human Services’ breach portal, that the extent of the attack became publicly known. According to the HHS listing, 4,452,782 individuals were affected by the breach.
In its initial disclosure, HealthEC said unidentified threat actors accessed some of its systems from July 14-23 last year, during which time certain files were copied.
“We then undertook a thorough review of the files in order to identify what specific information was present in the files and to whom it relates,” the company said.
“This review was completed on or around October 24, 2023 and identified information relating to some of HEC's clients. HEC began notifying our clients on October 26, 2023, and we worked with them to notify potentially impacted individuals.”
The 18 affected clients included the Alliance for Integrated Care of New York, Beaumont ACO, Corewell Health, HonorHealth, TennCare, and the University Medical Center of Princeton Physicians’ Organization.
Files that were stolen included patients’ personal details such as Social Security and Taxpayer Identification Numbers, their medical condition, treatment and prescription details, health insurance information, and billing and claims records.
Déjà vu for Corewell Health, patients in Michigan
For Michigan’s Corewell Health, it was the second time in a matter of months the organization’s patients found themselves victims of a major data breach due to an attack targeting one of its suppliers.
In a statement last week, Michigan Attorney General Dana Nessel said the HealthEC breach affected more than a million residents in the state.
In November, Nessel said about a million Michiganders were impacted by another supply chain attack affecting HealthEC patients: a May 30 breach of patient engagement firm Welltok. Almost 8.5 million individuals’ records were stolen from Welltok by the Clop ransomware gang as part of its prolific series of raids targeting MOVEit Transfer users.
Another large healthcare system in the state, McLaren Health Care, lost more than 2 million records in an August cyberattack, the same month the University of Michigan suffered a major cyberattack.
In her statement last week, Attorney General Nessel said Corewell Health contacted her department ahead of their public announcement about the most recent breach, even though they were not required by Michigan law to do so. The department often learned about data breaches through media reports, she said.
“Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection,” she said.
“It is critical that the Michigan legislature join the many other states that require companies who experience a data breach to immediately inform the Department of Attorney General.”
According to information compiled by the International Association of Privacy Professionals, as of March 2021, 35 states plus the District of Columbia required that their state attorneys general be notified when data breaches occurred.